7

I have a bash session on tty2 and an ssh-agent process belonging to me (same user id) from a previous session (TTY = ?)

On tty2, ssh-add says : Could not open a connection to your authentication agent.

Do I have to start an eval $(ssh-agent) each time I log in, even when there's already an ssh-agent process running ? But then at the end, I will have many ssh-agent process instances running :-(

EDIT : I would like to use my already running ssh-agent process.

I found a way to contact my already running ssh-agent like this :

export SSH_AUTH_SOCK=$(find /tmp/ssh-*/ -user $USER -type s -name "agent.*" 2>/dev/null | head -1)
export SSH_AGENT_PID=$(echo $SSH_AUTH_SOCK | cut -d. -f2)

but I'm not sure this is very secure.

EDIT 2: The command eval $(ssh-agent) starts a new instance of the ssh-agent process every time I run this command :-(

SebMa
  • 2,149

2 Answers2

6

You could eval and save the ssh-agent output at the same time,

eval $(ssh-agent | tee agent.env)

then from other terminals or subsequent sessions,

source agent.env

Tighten up the permissions to be slightly more secure,

chmod go-rwx agent.env
jamieguinan
  • 161
  • I guess there is security issue here. If one gets access to the root privilege and is a bad person, he could still all my ssh-agent keys :-( – SebMa Mar 30 '18 at 15:12
  • 1
    @SebMa I think that root user can use the private keys but not still them. From the man page: The agent will never send a private key over its request channel. Instead, operations that require a private key will be performed by the agent, and the result will be returned to the requester. – Ortomala Lokni Mar 30 '18 at 16:16
  • @OrtomalaLokni You are absolutely right, that was a typo, I meant use instead of still :) – SebMa Mar 30 '18 at 17:58
  • 2
    @SebMa If a malicious person gets root access, then your SSH keys are the least of your problems. – Kusalananda Apr 22 '18 at 09:26
  • @Kusalananda Yes and no : If someone uses my SSH keys, he/she can do bad things with my identity on remotes servers, and I would have to pay these consequences. – SebMa Apr 22 '18 at 14:13
  • @SebMa Only if they are passwordless. If you have a malicious root user, they may install a keylogger and other interesting things, and/or use your host as a jump host for launching further attacks on other hosts, which is a bigger problem. – Kusalananda Apr 22 '18 at 14:18
  • @Kusalananda Even if there are not password less, a root user can do a "sudo su - myUID" and then type the two export commands (see my question) to load my ssh key into the agent without the need of unlocking them because the agent is killed when a user logs out. – SebMa Apr 23 '18 at 10:00
  • 1
    @SebMa A root user could use your agent without the file, it's really easy to figure out where the control socket is. I'm just pointing out that if you don't trust root, then you have bigger problems than keeping your SSH keys secure. – Kusalananda Apr 23 '18 at 10:06
4

First of all, are you doing this over an ssh session? If so, then you can use ssh -A user@host.com and don't even use ssh-agent. The -A option will forward your host's ssh-agent to the remote server. Then you don't even need to copy your ssh keys to the remote server.

Back to the original question: The problem with running ssh-agent is that by default it will use a different random socket name every time. What you want to do is use the ssh-agent -a option to provide a fixed socket. Then no matter how many times you call it, it won't start another ssh-agent.

Here's a simple script that will always re-use the same ssh-agent, or start ssh-agent if it isn't running. You can easily combine these 3 lines into a 1 line alias as well.

# set SSH_AUTH_SOCK env var to a fixed value
export SSH_AUTH_SOCK=~/.ssh/ssh-agent.sock

# test whether $SSH_AUTH_SOCK is valid
ssh-add -l 2>/dev/null >/dev/null

# if not valid, then start ssh-agent using $SSH_AUTH_SOCK
[ $? -ge 2 ] && ssh-agent -a "$SSH_AUTH_SOCK" >/dev/null

source

wisbucky
  • 3,388