6

I have a bash session on tty2 and an ssh-agent process belonging to me (same user id) from a previous session (TTY = ?)

On tty2, ssh-add says : Could not open a connection to your authentication agent.

Do I have to start an eval $(ssh-agent) each time I log in, even when there's already an ssh-agent process running ? But then at the end, I will have many ssh-agent process instances running :-(

EDIT : I would like to use my already running ssh-agent process.

I found a way to contact my already running ssh-agent like this :

export SSH_AUTH_SOCK=$(find /tmp/ssh-*/ -user $USER -type s -name "agent.*" 2>/dev/null | head -1)
export SSH_AGENT_PID=$(echo $SSH_AUTH_SOCK | cut -d. -f2)

but I'm not sure this is very secure.

EDIT 2: The command eval $(ssh-agent) starts a new instance of the ssh-agent process every time I run this command :-(

SebMa
  • 1,941
  • 4
  • 22
  • 37

2 Answers2

5

You could eval and save the ssh-agent output at the same time,

eval $(ssh-agent | tee agent.env)

then from other terminals or subsequent sessions,

source agent.env

Tighten up the permissions to be slightly more secure,

chmod go-rwx agent.env
jamieguinan
  • 151
  • 3
  • I guess there is security issue here. If one gets access to the root privilege and is a bad person, he could still all my ssh-agent keys :-( – SebMa Mar 30 '18 at 15:12
  • 1
    @SebMa I think that root user can use the private keys but not still them. From the man page: `The agent will never send a private key over its request channel. Instead, operations that require a private key will be performed by the agent, and the result will be returned to the requester.` – Ortomala Lokni Mar 30 '18 at 16:16
  • @OrtomalaLokni You are absolutely right, that was a typo, I meant `use` instead of `still` :) – SebMa Mar 30 '18 at 17:58
  • 2
    @SebMa If a malicious person gets root access, then your SSH keys are the least of your problems. – Kusalananda Apr 22 '18 at 09:26
  • @Kusalananda Yes and no : If someone uses my SSH keys, he/she can do bad things with my identity on remotes servers, and I would have to pay these consequences. – SebMa Apr 22 '18 at 14:13
  • @SebMa Only if they are passwordless. If you have a malicious root user, they may install a keylogger and other interesting things, and/or use your host as a jump host for launching further attacks on other hosts, which is a bigger problem. – Kusalananda Apr 22 '18 at 14:18
  • @Kusalananda Even if there are not password less, a root user can do a "sudo su - myUID" and then type the two `export` commands (see my question) to load my ssh key into the agent without the need of unlocking them because the agent is killed when a user logs out. – SebMa Apr 23 '18 at 10:00
  • 1
    @SebMa A root user could use your agent without the file, it's _really easy_ to figure out where the control socket is. I'm just pointing out that if you don't trust root, then you have bigger problems than keeping your SSH keys secure. – Kusalananda Apr 23 '18 at 10:06
4

First of all, are you doing this over an ssh session? If so, then you can use ssh -A [email protected] and don't even use ssh-agent. The -A option will forward your host's ssh-agent to the remote server. Then you don't even need to copy your ssh keys to the remote server.

Back to the original question: The problem with running ssh-agent is that by default it will use a different random socket name every time. What you want to do is use the ssh-agent -a option to provide a fixed socket. Then no matter how many times you call it, it won't start another ssh-agent.

Here's a simple script that will always re-use the same ssh-agent, or start ssh-agent if it isn't running. You can easily combine these 3 lines into a 1 line alias as well.

# set SSH_AUTH_SOCK env var to a fixed value
export SSH_AUTH_SOCK=~/.ssh/ssh-agent.sock

# test whether $SSH_AUTH_SOCK is valid
ssh-add -l 2>/dev/null >/dev/null

# if not valid, then start ssh-agent using $SSH_AUTH_SOCK
[ $? -ge 2 ] && ssh-agent -a "$SSH_AUTH_SOCK" >/dev/null

source

wisbucky
  • 3,158
  • 1
  • 30
  • 18