1. 19
    The pitfalls of using ssh-agent, or how to use an agent safely practices security rabexc.org
    fcbsd avatar via fcbsd 1 year ago | cached | 4 comments

  1.  

  2. 12
    Flisk avatar Flisk 1 year ago | link

    The problem of handling many keys for different hosts/security domains can be solved elegantly in your ~/.ssh/config:

    IdentitiesOnly yes

Host aur.archlinux.org
IdentityFile ~/.ssh/id_ed25519_aur
User aur

Host example.com
IdentityFile ~/.ssh/id_ed25519_example.com
User exampleuser

    In conjunction with IdentitiesOnly, IdentityFile will tell ssh to:

    […] only use the authentication identity and certificate files explicitly configured in the ssh_config files or passed on the ssh(1) command-line, even if ssh-agent(1) or a PKCS11Provider offers more identities.

    As seen in ssh_config(5).

    1. 8
      qbit avatar qbit 1 year ago | link 
      XLock.startCmd:     ssh-add -D; sudo -K
XLock.endCmd:       ssh-add

      The above ( from ~/.Xresources ) will clear your keys and sudo cached creds when xlock starts.

      1. 4
        rbn avatar rbn edited 1 year ago | link

        i’m not sure why one would load ssh-agent in the shells rc script, the proper place to have it loaded one time is .profile / .xinitrc.

        i have this around the end of my .xinitrc

        eval $(ssh-agent -s)
SSH_ASKPASS=/usr/libexec/ssh-askpass ssh-add
ck-launch-session dwm 2> /dev/null

        this works with kdm as display manager. i guess if you use kde/gnome/etc. they have facilities for this builtin.

        iirc, agent forwarding can selectively be enabled using configurations for the hosts, so it could be disabled globally.

        edit: for .profile usage the loading of ssh-agent should be wrapped in a if testing if its a terminal login shell:

        if [ $TERM == "linux" ]; then
    eval $(ssh-agent -s)
fi
        1. 3
          duncaen avatar duncaen 1 year ago | link

          I use AddKeysToAgent yes in my ssh_config to add the keys automatically to the agent after using the key.