dsa vers rsa ssh key

George Georgalis george at galis.org
Sun Apr 3 23:31:53 PDT 2005 

On Sun, Apr 03, 2005 at 11:42:16AM -0700, Matthew Dillon wrote:
>
>    so e.g. part of my .xinitrc is an eval `/usr/bin/ssh-agent -c` (it's
>    a csh script, you can do it as a /bin/sh script too using a slightly
>    different arrangement).  Then I do a single ssh-add in an xterm and
>    from then on I can use my key without having to enter any further 
>    passwords.
>

That worked for me until I started having accounts more trusted than
the box I run X on. I needed an environment that asks for passphrase
when logging in, not necessarily just starting X. Below is bash (for
~/.bashrc), have not ported to zsh or tcsh yet.

# On interactive login, if there is a private key, setup ssh agent such
# that it and only it can be killed on logout. Logic is a follows:
# if this is a login shell (PS1 is set) and
# 	if there is no $SSH_AGENT_PID then
# if there is an ssh id file then
#	assign SSH_AGENT_SHELL_PID[$$] to $SSH_AGENT_PID
# so this and only this $SSH_AGENT_PID can be killed from .bash_logout
# 	if the passphrase is unknown, cleanup
if [ -n "$PS1" -a -z "$SSH_AGENT_PID" ]; then
 if [ -f ~/.ssh/id_dsa -o -f ~/.ssh/id_rsa -o -f ~/.ssh/identity ]; then 
	printf "${USER}@${HOSTNAME}: "
	eval `ssh-agent`
 	SSH_AGENT_SHELL_PID=([$$]=${SSH_AGENT_PID})
 	ssh-add \
 		|| { kill $SSH_AGENT_PID
 			unset SSH_AGENT_PID SSH_AGENT_SHELL_PID[$$] ;}
 fi
fi
## ~/.bash_logout
#sshpid=${SSH_AGENT_SHELL_PID[$$]}
#[ -n "$sshpid" ] \
#        && { kill "$sshpid" \
#                || echo '~/.bash_logout: ssh-agent already died?' 2>/dev/stderr ;}


. ..so it starts an agent if PS1 is set and there is a private key, and
asks for passphrase and keys are available to any sub processes. Then
with the tail block uncommented and in the logout file, only the
appropriate agent is killed when the shell that started it exits.


per other messages in this thread, yes, keys are fun, you can do a lot.
For dns updates, I make no passphrase private keys available to users in
a dns group, when they commit their changes (with make), those keys are
used (with ssh -i, transparently) to propagate the new records to remote
host and update everything all around. The users only had to login, edit
records and type make, then I get an email with a diff of their changes.
;-)

// George


-- 
George Georgalis, systems architect, administrator Linux BSD IXOYE
http://galis.org/george/ cell:646-331-2027 mailto:george at xxxxxxxxx

More information about the Users mailing list