Lately I've been thinking that I should also add a default timeout
when starting the agent so that it forgets my private keys after a
certain period of disuse. Only, I don't like the default ssh-agent
workflow when trying to connect to a host if you don't already have
your key in the agent:
The new connection will ask you for your passphrase, alerting you that
your key isn't in the agent. At this point you can:
ctrl-c the new connection, add your key to the agent, and connect
again.
--or--
type in your passphrase to complete the connection without adding your
key to the agent, which doesn't help you for any subsequent
connections and you still have to add your key to the agent and type
in your passphrase a second time.
Ideally, I would like a flag on the ``ssh`` command to first run ssh-
add, only if the specified private key is not already in the agent,
then continue with the connection. (Or alternatively, I would like a
flag to ssh-add that won't prompt you for your passphrase if the key
is already in the agent.)
tl;dr: I'm interested in how others use ssh.
1. What is your workflow when using ssh public key authentication?
2. Do you use ssh-agent directly or something else like gnome-
keychain?
3. Do you timeout your private keys after a period of disuse?
I've gone back to GNOME, because I can have the keyring setup such that
when I login, it automatically adds my ssh key. I was trying to figure
this out in OpenBox, but I could never get it fully automated. I don't
time out my keys either. I'm never on any public machine where that
would be a worry.
--
. O . O . O . . O O . . . O .
. . O . O O O . O . O O . . O
O O O . O . . O O O O . O O O
My replies are basically the same as Aaron's; I've used gnome-keyring
for a while now and never looked back. That tool is unparalleled in
both is ease of use and flexibility.
For all of my generated keys, I keep the revocation certificates in a
lockbox, and don't worry about expirations. If my life ever took a
crazy conspiracy theory driven twist, I'd just revoke the certs on the
keyservers.
--
Michael Heath
I'm assuming you went back to GNOME for other reasons too, but were
you calling out to SSH_ASKPASS in the ~/.config/openbox/autostart.sh
file? Doing it in ~/.xinitrc can be a little tricky due to race-
conditions.
Have you ever used gnome-keyring with smart cards? They use x509 certs
typically, but have an added layer with the pcscd. FC12 has pretty
decent smartcard support, but I havn't tried using gnome-keyring with it.