An experienced user recommends to me: <<I start ssh-agent in .xsession as follows: # check if ssh-agent is running SSH_AGENT_RUNNING=`ps x | grep 'ssh-agent' |grep -v grep` if [ "$SSH_AGENT_RUNNING" = "" ]; then # start it if not eval `ssh-agent -s` # also add default entity ( sleep 5; env DISPLAY=:0 SSH_ASKPASS=/usr/local/bin/gnome-ssh-askpass ssh-add ~/.ssh/identity ~/.ssh/id_dsa )& else # check if environment variables set if [ -z "$SSH_AGENT_PID" ] ; then # if not we set it # Note: if SSH_AGENT_PID is set we assume that it is set correctly and # also SSH_AUTH_SOCK is set export SSH_AGENT_PID=`echo $SSH_AGENT_RUNNING | cut -f 1 -d ' '` # Unfortunatly PID in SSH_AUTH_SOCK is not the same as AGENT_PID. # Heuristic: usually it's one less ... typeset -i SSH_AUTH_PID=$SSH_AGENT_PID-1 export SSH_AUTH_SOCK=`ls /tmp/ssh-*/agent.$SSH_AUTH_PID` fi # assume it's has default identity ... fi>> A hint to something similar like this in the manual probably wouldn't reduce ssh-agent adoption...
I think that: [ -z "$SSH_AUTH_SOCK" ] && eval `ssh-agent -s` [ -z "$SSH_AGENT_PID" ] || ssh-add -l >/dev/null 2>&1 || ssh-add Is as effective and a lot more concise. On the other hand, fragile heuristics like: > export SSH_AUTH_SOCK=`ls /tmp/ssh-*/agent.$SSH_AUTH_PID` have no place in our documentation.
man ssh-agent: NAME ssh-agent - authentication agent SYNOPSIS ssh-agent [-a bind_address] [-c | -s] [-d] [command [args ...]] [SNIP] run commands: mv .xsession .xsession-all echo 'ssh-agent $HOME/.xsession-all' > .xsession chmod +x .xsession or edit global Xsession. Tip:SuSe linux contain commented line like this: SSH_AGENT=/usr/bin/ssh-agent uncomment it and enjoy.
Damien, Thanks for your hint. I put this into my ~/.bashrc file. Unfortunately - being a cygwin user - variables set when opening my first cygwin shell window are not visible to the overall win2k system. ===> when starting a second window by the cygwin provided desktop shortcuts etc. (i.e. not out of the first cygwin window) a second ssh-agent will be started. What do you suggest as the most robust/concise way to safely handle this case? Thx Ralf
> when starting a second window by the cygwin provided desktop shortcuts etc. > [...] a second ssh-agent will be started. http://freshmeat.net/projects/keychain/
As I mentioned on the mailing list: use a single socket in a well-known place (ssh-agent -a /path/to/socket). You could probably do something like: SSH_AUTH_SOCK=/path/to/whereever export SSH_AUTH_SOCK [ -S $SSH_AUTH_SOCK ] || eval `ssh-agent -sa $SSH_AUTH_SOCK` Then the first shell will start an agent which all others will use.
I must mention that these help requests have no place in a bug tracking system. Please direct further discussion to the mailing list openssh-unix-dev@mindrot.org
Damien, Thanks for the hint. Unfortunately, your suggestion in http://bugzilla.mindrot.org/show_bug.cgi?id=500#c5 appears not to work because in my case, ssh-agent doesn't remove the SSH_AUTH_SOCK file when it dies/gets killed. Thus, next time I log in (e.g. after a re-boot), the socket/file is still there, but no ssh-agent available in memory nor will it be started. It appears that <<SSH_AUTH_SOCK=/cygdrive/c/Data/temp/ssh_auth_sock SSH_AGENT_RUNNING=`ps x | grep 'ssh-agent' |grep -v grep` if [ "$SSH_AGENT_RUNNING" = "" ]; then rm $SSH_AUTH_SOCK fi export SSH_AUTH_SOCK [ -S $SSH_AUTH_SOCK ] || eval `ssh-agent -sa $SSH_AUTH_SOCK` [ -z "$SSH_AGENT_PID" ] || ssh-add -l >/dev/null 2>&1 || ssh-add>> is working. Furthermore, I am confused that you discarded this documentation enhancement suggestion as "invalid". To me, it appears that you have built an outstanding software with OpenSSH, but for a JoeAnyUser like myself, it is overly hard to get started with it. Assuming that you and your community do care about improving the daily security practices and behaviour of the average users out there, I contend that improving the documentation is by far the cheapest approach to boost more widespread adoption of this wonderful product. In this light, I also suggest not to discard simple and really cheap to implement convenience features to the website such as a search function (see http://bugzilla.mindrot.org/show_bug.cgi?id=478) - for us JoeAnyUsers, things like that matter! Anyway, once I get around it to convert my ssh-agent man-page extension suggestion from html to troff's *.1 (http://bugzilla.mindrot.org/show_bug.cgi?id=481), I'll mention the conclusion of this discussion here too and I hope not to delay/bore the experts too much with that :) Ralf
The socket should disappear after the server stops listening, if this isn't the case you should chase it up with the cygwin people.
the agent's cleanup_socket() should handle this. unless you kill -9....
Thx for the hints, in this case, unfortunately shutdown/restart of win2k appear to be equivalent to "kill -9" for the cygwin version of ssh-agent ...
BTW, http://bugzilla.mindrot.org/attachment.cgi?id=266&action=edit describes another option how to start it by default under windows.
Mass change of VERIFIED bugs to CLOSED