Mageia forum

[doktor5000]

I am looking for advice and knowledge about the ssh-agent, the related environment variables, and adding a key to the agent.
I may have missed something in the man pages, release notes, and errata, but I did read them.

I would like to run ssh-add when I login in. Where would you recommend I do it?

I have good news and bad news.
The good news : KDE, and Mageia 6 starts ssh-agent for me, by itself, automatically.
Two of the three environment variables set for ssh are correct.
Also, the command ssh-add works fine.
The bad news : The third environment variable, SSH_ASKPASS, is wrong. The details are listed below.
I know where it is set. What do you recommend I set it to?
Also, Where, and when are these environment variables set?


DETAILS:

After logging in my ssh related environment variables look like the following:

Code: Select all

[hank@HIvyTower ~]$ env | grep -i ssh
SSH_AGENT_PID=3003
SSH_AUTH_SOCK=/tmp/ssh-pd92Mo6EpoPL/agent.3002
SSH_ASKPASS=/usr/libexec/openssh/ssh-askpass
[hank@HIvyTower ~]$


The socket /tmp/ssh-pd92Mo6EpoPL/agent.3002 is only readable and writeable by myself.

Code: Select all

[hank@HIvyTower ~]$ ls -ald ${SSH_AUTH_SOCK}
srw------- 1 hank hank 0 Aug 19 13:33 /tmp/ssh-pd92Mo6EpoPL/agent.3002=

The PID 3003 is up and running.

Code: Select all

[hank@HIvyTower ~]$ ps -ef | grep 3003
hank      3003     1  0 13:33 ?        00:00:00 /usr/bin/ssh-agent -s
hank      8375  5653  0 23:45 pts/2    00:00:00 grep --color 3003
[hank@HIvyTower ~]$ ps -ef | grep 300[23]
hank      3003     1  0 13:33 ?        00:00:00 /usr/bin/ssh-agent -s

*** The PID and the socket are good.

The executable for ${SSH_ASKPASS} does not exist.

Code: Select all

[hank@HIvyTower ~]$ ls -ald ${SSH_ASKPASS}
ls: cannot access '/usr/libexec/openssh/ssh-askpass': No such file or directory
[hank@HIvyTower ~]$ ls -ld /usr/libexec/openssh/ssh-askpass
ls: cannot access '/usr/libexec/openssh/ssh-askpass': No such file or directory
[hank@HIvyTower ~]$ cat /etc/profile.d/90ssh-askpass.sh
export SSH_ASKPASS=/usr/libexec/openssh/ssh-askpass
[hank@HIvyTower ~]$ cat /etc/profile.d/90ssh-askpass.csh
setenv SSH_ASKPASS /usr/libexec/openssh/ssh-askpass
[hank@HIvyTower ~]$

Here are all of the ssh-askpass like files on my Mageia 6 system:

Code: Select all

[hank@HIvyTower ~]$ sudo find / -name "*ssh*askpass*" -exec ls -ld {} \; 2>/dev/null | grep -v locale
-rw-r--r-- 1 root root 52 Apr  2 09:26 /etc/profile.d/90ssh-askpass.sh
-rw-r--r-- 1 root root 52 Apr  2 09:26 /etc/profile.d/90ssh-askpass.csh
lrwxrwxrwx 1 root root 20 Jul 12  2015 /etc/alternatives/ssh-askpass -> /usr/bin/ksshaskpass
lrwxrwxrwx 1 root root 20 Aug 18 18:57 /etc/alternatives/bssh-askpass -> /usr/bin/ksshaskpass
-rw-r--r-- 1 root root 51 Aug 18 18:57 /var/lib/rpm/alternatives/bssh-askpass
-rw-r--r-- 1 root root 58 Jul 12  2015 /var/lib/rpm/alternatives/ssh-askpass
lrwxrwxrwx 1 root root 29 Aug  9  2014 /usr/lib64/ssh/ssh-askpass -> /etc/alternatives/ssh-askpass
-rwxr-xr-x 1 root root 20016 May 26 12:06 /usr/bin/ksshaskpass
lrwxrwxrwx 1 root root 30 Aug 18 18:57 /usr/bin/ssh-askpass -> /etc/alternatives/bssh-askpass
-rwxr-xr-x 1 root root 2530992 Dec 18  2016 /usr/bin/qt4-ssh-askpass
-rw-r--r-- 1 root root 1020 May 26 12:06 /usr/share/man/man1/ksshaskpass.1.xz
[hank@HIvyTower ~]$

[doktor5000]

For the question specifically about SSH_ASKPASS that sounds like https://bugs.mageia.org/show_bug.cgi?id=21031
You may want to check as root

Code: Select all

alternatives --list ssh-askpass

and then check those symlinks, some may be broken. You can choose another default askpass program via

Code: Select all

alternatives --config ssh-askpass

And usually ssh-agent is run by default and usually started by your desktop environment. What desktop do you use, or do you also want it to work without X ?

What do you get back from

Code: Select all

ssh-add -l
ssh-add -L

and how do you initiate your ssh connections, as you didn't mention that ?

Totally apart from that, for that find command better use something like

Code: Select all

sudo find / -iname "*ssh*askpass*" -ls 2>/dev/null | grep -v locale

for case-insensitive search and not spawning hundreds of subshells but just one fine command

[hankivy]

The alternatives command and a review of the symbolic links say I should use /usr/bin/ksshaskpass.

The ssh-add commands say I start the session without any identities.

Code: Select all

[hank@HIvyTower ~]$ ssh-add -l
The agent has no identities.
[hank@HIvyTower ~]$ ssh-add -L
The agent has no identities.

P.S. I use the KDE-ish Plasma. I just need it in an X environment.

[doktor5000]

and how do you initiate your ssh connections, as you didn't mention that ?

[hankivy]

I start ssh by

$ ssh UserId@Host.com

[doktor5000]

And you do have a private key with a passphrase?

You may want to read up on e.g. https://wiki.mageia.org/en/Packagers_ssh#SSH_Agent
You already have ssh-agent running so you only need something that will load the identity, either you do it manually, or you use something like keychain.

[hankivy]

I am embarrassed.

I added the following to my ~/.bash_profile, and forgot.

Code: Select all

# Get the ssh agent started and let it tell us where it is.
eval '/usr/bin/ssh-agent -s' > ~/.ssh/agent-env.sh
# Secure the file, so only the user can read it.
chmod 600 ~/.ssh/agent-env.sh
# Learn where the agent is so all of my sub-processes will know.
. ~/.ssh/agent-env.sh > /dev/null
# The redirect to /dev/null gobbles up a message about the pid.

I started ssh-agent in my code.

I can run ssh-add any time, in any terminal window, or in the X environment.

I could call ssh-add in either .bash_profile, (System Settings, Workspace, Startup and Shutdown, Autostart), or manually in a terminal window. Any opinions? Pros vs. Cons?

[doktor5000]

I started ssh-agent in my code.

I can run ssh-add any time, in any terminal window, or in the X environment.

I could call ssh-add in either .bash_profile, (System Settings, Workspace, Startup and Shutdown, Autostart), or manually in a terminal window. Any opinions? Pros vs. Cons?

Well, that's not that easy to answer, You should read up on this, see e.g. http://rabexc.org/posts/pitfalls-of-ssh-agents
I would either recommend configuring the keys in ~/.ssh/config and not having an agent running if you do not need agent forwarding.

Or look into using keychain as mentioned in the wiki link above.