1

I'd like to keep my keys secure, but also not have to enter a passphrase on every single git invocation, when I want to run several commands in quick succession. I've researched this, and found that ssh-agent/keychain/etc. go too far convenience-vs-security-wise to my liking. Something like xyz git pull would be perfect, where xyz checks if my key is decrypted, and if it isn't - asks for my passphrase, and then after N minutes of not invoking xyz it forgets the decrypted value. Exactly like sudo. Does this exist / can this be achieved through some tricky means?

There's a similar question about this, but our use cases differ.

Community
  • 1
Alec Mev
  • 190

1 Answers1

6

This is exactly what ssh-agent does.

where xyz checks if my key is decrypted, and if it isn't - asks for my passphrase

You don't need any xyz. Just start ssh-agent at the start of your session (for example in ~/.bashrc):

[ -z "$SSH_AUTH_SOCK" ] && eval $(ssh-agent -t 5m)

And configure your ssh client to add the keys when they are first used by setting

AddKeysToAgent yes

in your ~/.ssh/config.

and then after N minutes of not invoking xyz it forgets the decrypted value.

This is what the -t switch of the ssh-agent does. Sets default timeout for added keys (in the example above 5 minutes).

Jakuje
  • 21,357
  • This is close enough, thanks! Didn't know about AddKeysToAgent. However, it's not completely like sudo (though fits my brief description in the question): it's not shell-exclusive (works between several terminals) and it doesn't have a moving window timeout (if I keep invoking it every 10s, then I can keep doing it forever). – Alec Mev Dec 12 '16 at 16:36