How to safely start the ssh-agent from .bashrc
Updated on Tue, 2013-04-30 09:32 by testadmin. Originally created by jeromel on 2009-02-06 14:21.
Here is a quick script addition to our .bashrc file which will start a ssh-agent once and load the proper environment variables for the other terminal you will sub-sequentially open. Thi solution is valid for a single user computer (see notes below):
GREP=/bin/grep test=`/bin/ps -ef | $GREP ssh-agent | $GREP -v grep | /usr/bin/awk '{print $2}' | xargs` if [ "$test" = "" ]; then # there is no agent running if [ -e "$HOME/agent.sh" ]; then # remove the old file /bin/rm -f $HOME/agent.sh fi; # start a new agent /usr/bin/ssh-agent | $GREP -v echo >&$HOME/agent.sh fi; test -e $HOME/agent.sh && source $HOME/agent.sh alias kagent="kill -9 $SSH_AGENT_PID"
Tips
- Most trivial remark: the above is a SH script and it sources the agent.sh - please verify that ssh-agent output sh commands (and not csh commands). If your system global default shell is bash or sh, this will be true.
- If you use this script, please use
% ssh-add -L
to check if keys are already upload or load them using the same command. ssh-add cannot be automated in .bashrc since it will prompt for your passphrase.
- Note that the file agent.sh resides in your home directory. If on any terminal, ssh-add tells you
Could not open a connection to your authenticated agent
then source agent.sh and try again
- IMPORTANT
Starting an agent automatically in this manner implies that ANYONE having access to your machine, laptop could access your remote accounts without having to type a password. You MUST understand this includes automated command executed on your behalf. To minimize this risk, consider the following:- Be careful of the use of an agent on a node other than a personal laptop or computer. If multiple people have access to the machine, consider it a NO start. The ps command in our example would not work anyhow and you will need to grep $USER (LOGNAME or USERNAME) but more importantly, it is NOT a good idea to start agent automatically like this.
- If you do start an agent, upload your keys when needed. You may destroy your keys by using the
% ssh-add -D
command. You may also destroy the agent (which will have the same effect).
- The command kagent has been defined above to kill the first agent detached via this method. Ideally, you may extract the first part of the example script and copy it into a separate script, then define an alias to execute it instead of a full automation.
- To make sure -A option is implicit while using ssh (and/or -X) consult Caveats, issues, special cases and possible problems for further information on tweaking your client side $HOME/.ssh/config .
Please, le me know if this script causes problems and your suggestion to improve.
Note also that recent cygwin distributions have a problem with ssh-agent as described ssh-add / ssh-agent issue . If this is the case for you, the above example will not be working.
»
- jeromel's blog
- Login or register to post comments