1. 19

  2. 12

    The problem of handling many keys for different hosts/security domains can be solved elegantly in your ~/.ssh/config:

    IdentitiesOnly yes
    Host aur.archlinux.org
    IdentityFile ~/.ssh/id_ed25519_aur
    User aur
    Host example.com
    IdentityFile ~/.ssh/id_ed25519_example.com
    User exampleuser

    In conjunction with IdentitiesOnly, IdentityFile will tell ssh to:

    […] only use the authentication identity and certificate files explicitly configured in the ssh_config files or passed on the ssh(1) command-line, even if ssh-agent(1) or a PKCS11Provider offers more identities.

    As seen in ssh_config(5).

    1. 8
      XLock.startCmd:     ssh-add -D; sudo -K
      XLock.endCmd:       ssh-add

      The above ( from ~/.Xresources ) will clear your keys and sudo cached creds when xlock starts.

      1. 4

        i’m not sure why one would load ssh-agent in the shells rc script, the proper place to have it loaded one time is .profile / .xinitrc.

        i have this around the end of my .xinitrc

        eval $(ssh-agent -s)
        SSH_ASKPASS=/usr/libexec/ssh-askpass ssh-add
        ck-launch-session dwm 2> /dev/null

        this works with kdm as display manager. i guess if you use kde/gnome/etc. they have facilities for this builtin.

        iirc, agent forwarding can selectively be enabled using configurations for the hosts, so it could be disabled globally.

        edit: for .profile usage the loading of ssh-agent should be wrapped in a if testing if its a terminal login shell:

        if [ $TERM == "linux" ]; then
            eval $(ssh-agent -s)
        1. 3

          I use AddKeysToAgent yes in my ssh_config to add the keys automatically to the agent after using the key.