Suggestions for adding and timing out ssh private keys?

2 views
Skip to first unread message

Seth House

unread,
Dec 31, 2009, 4:39:15 PM12/31/09
to Ogden Area Linux Users Group
The way I am currently using ssh-agent is by starting it when I start
a GNU screen session and manually adding my private key with ssh-add.
(This method has the side-benefit of also killing the agent when I
detach screen for added security.)

Lately I've been thinking that I should also add a default timeout
when starting the agent so that it forgets my private keys after a
certain period of disuse. Only, I don't like the default ssh-agent
workflow when trying to connect to a host if you don't already have
your key in the agent:

The new connection will ask you for your passphrase, alerting you that
your key isn't in the agent. At this point you can:

ctrl-c the new connection, add your key to the agent, and connect
again.
--or--
type in your passphrase to complete the connection without adding your
key to the agent, which doesn't help you for any subsequent
connections and you still have to add your key to the agent and type
in your passphrase a second time.

Ideally, I would like a flag on the ``ssh`` command to first run ssh-
add, only if the specified private key is not already in the agent,
then continue with the connection. (Or alternatively, I would like a
flag to ssh-add that won't prompt you for your passphrase if the key
is already in the agent.)

tl;dr: I'm interested in how others use ssh.

1. What is your workflow when using ssh public key authentication?
2. Do you use ssh-agent directly or something else like gnome-
keychain?
3. Do you timeout your private keys after a period of disuse?

Aaron Toponce

unread,
Jan 1, 2010, 9:25:09 AM1/1/10
to oa...@googlegroups.com
Seth House wrote:
> 1. What is your workflow when using ssh public key authentication?
> 2. Do you use ssh-agent directly or something else like gnome-
> keychain?
> 3. Do you timeout your private keys after a period of disuse

I've gone back to GNOME, because I can have the keyring setup such that
when I login, it automatically adds my ssh key. I was trying to figure
this out in OpenBox, but I could never get it fully automated. I don't
time out my keys either. I'm never on any public machine where that
would be a worry.

--
. O . O . O . . O O . . . O .
. . O . O O O . O . O O . . O
O O O . O . . O O O O . O O O


signature.asc

Michael Heath

unread,
Jan 1, 2010, 12:00:12 PM1/1/10
to oa...@googlegroups.com
On Thu, Dec 31, 2009 at 2:39 PM, Seth House <whit...@gmail.com> wrote:
> 1. What is your workflow when using ssh public key authentication?
> 2. Do you use ssh-agent directly or something else like gnome-
> keychain?
> 3. Do you timeout your private keys after a period of disuse?

My replies are basically the same as Aaron's; I've used gnome-keyring
for a while now and never looked back. That tool is unparalleled in
both is ease of use and flexibility.

For all of my generated keys, I keep the revocation certificates in a
lockbox, and don't worry about expirations. If my life ever took a
crazy conspiracy theory driven twist, I'd just revoke the certs on the
keyservers.

--
Michael Heath

Seth House

unread,
Jan 1, 2010, 12:14:53 PM1/1/10
to Ogden Area Linux Users Group
On Jan 1, 7:25 am, Aaron Toponce <aaron.topo...@gmail.com> wrote:
> I've gone back to GNOME, because I can have the keyring setup such that
> when I login, it automatically adds my ssh key. I was trying to figure
> this out in OpenBox, but I could never get it fully automated.

I'm assuming you went back to GNOME for other reasons too, but were
you calling out to SSH_ASKPASS in the ~/.config/openbox/autostart.sh
file? Doing it in ~/.xinitrc can be a little tricky due to race-
conditions.

brandon

unread,
Jan 1, 2010, 1:24:02 PM1/1/10
to oa...@googlegroups.com


Have you ever used gnome-keyring with smart cards? They use x509 certs
typically, but have an added layer with the pcscd. FC12 has pretty
decent smartcard support, but I havn't tried using gnome-keyring with it.

Reply all
Reply to author
Forward
0 new messages