35

  1. How to start ssh-agent as systemd service? There are some suggestions in the net, but they are not complete.

  2. How to add automatically unencrypted keys if ssh-agent service was started successfully? Probably, adding keys from the list of ~/.ssh/.session-keys would be good.

  3. How to set SSH_AUTH_SOCK in any login session afterwards? The most correct way is to push it from ssh-agent service to systemd-logind service (have no idea if it's ever possible). The plain naive way is just add it to /etc/profile.

midenok
  • 513
  • 1
  • 4
  • 9

2 Answers2

66
  • To create a systemd ssh-agent service, you need to create a file in ~/.config/systemd/user/ssh-agent.service because ssh-agent is user isolated. 
    [Unit]
Description=SSH key agent

[Service]
Type=simple
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK

[Install]
WantedBy=default.target
  • Add 
    SSH_AUTH_SOCK="${XDG_RUNTIME_DIR}/ssh-agent.socket"
    to ~/.config/environment.d/ssh_auth_socket.conf.
  • Finally enable and start this service. 
    systemctl --user enable --now ssh-agent
  • And, if you are using ssh version higher than 7.2. 
    echo 'AddKeysToAgent  yes' >> ~/.ssh/config
    This will instruct the ssh client to always add the key to a running agent, so there's no need to ssh-add it beforehand.

Note that when you create the ~/.ssh/config file you may need to run:

chmod 600 ~/.ssh/config

or

chown $USER ~/.ssh/config

Otherwise, you might receive the Bad owner or permissions on ~/.ssh/config error.

AdminBee
  • 21,637
  • 21
  • 47
  • 71
lightsing
  • 776
  • 7
  • 4
  • `launchd` on OS X is set to start ssh-agent when a Unix socket is accessed (and the `SSH_AUTH_SOCK` variable is prepopulated with the path...) (like `inetd`, but a Unix socket). This seems possible with `systemd` as well. (Whether a system-wide service is an option for a per-user service might be interesting to see....) – Gert van den Berg Feb 26 '18 at 10:49
  • I get `Failed to execute operation: Process org.freedesktop.systemd1 exited with status 1` when I run `systemctl --user enable ssh-agent` on centos7 – scarba05 Mar 18 '19 at 08:51
  • 1
    @nealmcb You must have `SSH_AUTH_SOCK` set elsewhere in your system, otherwise `ssh` would never see it. And unless I'm missing something, `Environment` and `ExecStartPre` aren't needed at all. – Alec Mev May 08 '20 at 21:13
  • @AlecMev Hmm - you may well be right. I was probably trying different things, and notice that I have `SSH_AUTH_SOCK` set in my `.profile`. Sorry for the confusion. – nealmcb May 09 '20 at 22:10
  • 2
    You can make ssh-agent exit after your last session by adding `After=systemd-user-sessions.service user-runtime-dir@%i.service dbus.service` and `Requires=user-runtime-dir@%i.service` to the `[Unit]` section. – Karl Bunch Apr 18 '21 at 11:48
  • @AlecMev `Environment` seems to be useful for other services started with systemd that might want to know `SSH_AUTH_SOCK`. – tsj Apr 30 '21 at 20:55
  • This setup persists through reSTART in Arch (i.e., logout/login, or i3 `$mod` `` `e` ). It does not survive a `reboot` or a 'Reddit-tier IT Support stock answer' (i.e., "Turn it off then back on"). – GT. Apr 23 '23 at 05:36
1

This is not supported if you are using centos 7 because it will not support the --user flag of systemctl. See this centos bug report, Systemd User Support is Broken on Delivery

scarba05
  • 111
  • 3