ssh-agent without graphical display manager? how?

01-04-2009, 02:55 PM

I'm in the process of converting from nfs to sshfs on my home-grown
file-server/backup-server computer. This computer does not run Xwindows
or any other graphical manager. I control it mostly by logging into it
using ssh. But when I log in this way, it appears that ssh-agent is
not started, and consequently, I cannot use ssh-add on it. I can, of
course, use ssh-add on my desktop computer, but that is not where the
private key for the backup server is stored. Has anyone confronted
this situation and worked out a solution? Advice?

(Please don't suggest that I use some prebuilt backup system that does
everything you want. I am special, i.e. especially unreasonable in my
goals/needs.)

TIA
--
Paul E Condon
pecondon@mesanetworks.net

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

01-04-2009, 03:28 PM

On Sun, Jan 4, 2009 at 10:55 AM, Paul E Condon <pec@mesanetworks.net> wrote:
> I'm in the process of converting from nfs to sshfs on my home-grown
> file-server/backup-server computer. This computer does not run Xwindows
> or any other graphical manager. I control it mostly by logging into it
> using ssh. But when I log in this way, it appears that ssh-agent is
> not started, and consequently, I cannot use ssh-add on it. I can, of
> course, use ssh-add on my desktop computer, but that is not where the
> private key for the backup server is stored. Has anyone confronted
> this situation and worked out a solution? Advice?

I haven't tried this, but does running ssh-agent from ~/.ssh/rc (or
/etc/ssh/sshrc) do what you need?

--
Michael A. Marsh
http://www.umiacs.umd.edu/~mmarsh
http://mamarsh.blogspot.com
http://36pints.blogspot.com

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

01-04-2009, 05:38 PM

On Sun,04.Jan.09, 08:55:27, Paul E Condon wrote:
> I'm in the process of converting from nfs to sshfs on my home-grown
> file-server/backup-server computer. This computer does not run Xwindows
> or any other graphical manager. I control it mostly by logging into it
> using ssh. But when I log in this way, it appears that ssh-agent is
> not started, and consequently, I cannot use ssh-add on it. I can, of
> course, use ssh-add on my desktop computer, but that is not where the
> private key for the backup server is stored. Has anyone confronted
> this situation and worked out a solution? Advice?

As far as I recall the manpage of ssh-agent has generic instructions on
how to start it.

Regards,
Andrei
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)

01-04-2009, 06:18 PM

On Sun, Jan 04, 2009 at 08:38:46PM +0200, Andrei Popescu wrote:
> On Sun,04.Jan.09, 08:55:27, Paul E Condon wrote:
> > I'm in the process of converting from nfs to sshfs on my home-grown
...

>
> As far as I recall the manpage of ssh-agent has generic instructions on
> how to start it.
>

The man page instructions assume that one is running a graphical display
manager, and I am not. This is precisely why I need help, IMHO.

--
Paul E Condon
pecondon@mesanetworks.net

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

01-04-2009, 06:44 PM

On Sunday 04 January 2009, Paul E Condon <pec@mesanetworks.net> wrote
about 'ssh-agent without graphical display manager? how?':
>I control it mostly by logging into it
>using ssh. But when I log in this way, it appears that ssh-agent is
>not started. Has anyone confronted
>this situation and worked out a solution? Advice?

I use the "keychain" package plus these scripts and snippets to start and
load my agents:
(Helper scripts)
~/bin/keychain-start.sh: (Meant to be sourced)
#! /bin/sh
# Starts keychain or initializes the environment, but requires no
interactivity.
if [ -x /usr/bin/keychain ]; then
eval "$(/usr/bin/keychain --eval --quiet --inherit any-once --stop
others --noask --lockwait 0 >/dev/null 2>&1)"
fi

~/bin/keychain-load.bash: (Meant to be run normally)
#! /bin/bash
# Starts and loads the keychain, interacting with the user as needed.
# May start gnupg-agent, but doesn't prompt for keys because gnupg-agent
# regularly times out keys.
# Since interaction is clearly available, we clear the keychain before
adding
# keys (assume user is an attacker).
if [ -x /usr/bin/keychain ]; then
SSH_KEYS=('id_dsa')
eval "$(/usr/bin/keychain --eval --inherit any-once --stop others
--clear "${SSH_KEYS[@]}")"
fi

(KDE)
~/.kde/env/keychain-start.sh is a hardlink to ~/bin/keychain-start.sh.

~/.kde/env/ssh-askpass.sh: (optional)
#! /bin/sh

if [ -x /usr/bin/ksshaskpass ]; then
SSH_ASKPASS=/usr/bin/ksshaskpass; export SSH_ASKPASS
elif [ -x /usr/bin/x11-ssh-askpass ]; then
SSH_ASKPASS=/usr/bin/x11-ssh-askpass; export SSH_ASKPASS
elif [ -x /usr/lib64/ssh/x11-ssh-askpass ]; then
SSH_ASKPASS=/usr/lib64/ssh/x11-ssh-askpass; export SSH_ASKPASS
elif [ -x /usr/bin/ssh-askpass ]; then
SSH_ASKPASS=/usr/bin/ssh-askpass; export SSH_ASKPASS
elif [ -x /usr/lib64/ssh/ssh-askpass ]; then
SSH_ASKPASS=/usr/lib64/ssh/ssh-askpass; export SSH_ASKPASS
fi

~/.kde/Autostart/keychain-load.desktop:
[Desktop Entry]
Name=Load Keychain
Comment=Start agents and add keys to them.
Exec=/home/bss/bin/keychain-load.bash
Terminal=true
StartupNotify=false
Type=Application
Encoding=UTF-8

(bash)
~/.bashrc:
[...]
if [ -x ~/bin/keychain-start.sh ]; then
. ~/bin/keychain-start.sh
fi
[...]

~/.bash_profile:
[...]
[[ -t 0 ]] && [[ -x ~/bin/keychain-load.bash ]] && ~/bin/keychain-load.bash
[...]

If you use a different shell, then you may need to modify a differnt .*rc
file and/or a different .*profile file. If you use a different DE, you'll
probably have to change the location of the DE files.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/

01-04-2009, 06:52 PM

You want to run ssh-agent in the parent login shell, so later shells
inherit the SSH_AGENT_ID and SSH_AGENT_PID environment variables. If
you use bash, then .login or .bash_login should contain something like:

eval `ssh-agent`

/Allan
--
Allan Wind
Life Integrity, LLC
http://lifeintegrity.com

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

01-04-2009, 07:19 PM

On Sun, Jan 04, 2009 at 08:55:27AM -0700, Paul E Condon wrote:
> I'm in the process of converting from nfs to sshfs on my home-grown
> file-server/backup-server computer. This computer does not run Xwindows
> or any other graphical manager. I control it mostly by logging into it
> using ssh. But when I log in this way, it appears that ssh-agent is
> not started, and consequently, I cannot use ssh-add on it. I can, of
> course, use ssh-add on my desktop computer, but that is not where the
> private key for the backup server is stored. Has anyone confronted
> this situation and worked out a solution? Advice?

I often do something like I think you're describing, and just run
bash or other shell (or startx, etc.) as an argument to ssh-agent.
ssh-agent exports some variables to identify the ssh agent process or
fifo, it doesn't care if what it's wrapping is graphical or otherwise.

$ ssh-agent bash
$ ssh-add
...

Ken

--
Ken Irving

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

01-04-2009, 07:35 PM

On 2009-01-04 12:18:32 -0700, Paul E Condon wrote:
> The man page instructions assume that one is running a graphical display
> manager, and I am not. This is precisely why I need help, IMHO.

I use ssh (and ssh-agent) to jump from one machine to another,
most often without X forwarding, and I've never had any problem.

As my shell is zsh, I start ssh-agent from my ".zlogin".

--
Vincent Lefèvre <vincent@vinc17.org> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon)

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

01-04-2009, 07:44 PM

On 2009-01-04 14:52:58 -0500, Allan Wind wrote:
> You want to run ssh-agent in the parent login shell, so later shells
> inherit the SSH_AGENT_ID and SSH_AGENT_PID environment variables.

Only sub-shells will inherit them. If you start a second SSH session
to the remote host, it will not inherit these variables from the
first session. For this reason, I've written a set of zsh scripts
(only work if the shell is zsh -- this is what I use), to be able
to reuse the same ssh-agent in any shell:

http://www.vinc17.org/unix/index.en.html#zsh-ssh-utils

--
Vincent Lefèvre <vincent@vinc17.org> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon)

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

01-04-2009, 08:08 PM

On Sun,04.Jan.09, 12:18:32, Paul E Condon wrote:

> The man page instructions assume that one is running a graphical display
> manager, and I am not. This is precisely why I need help, IMHO.

I admit it's cryptic, but it's there:

,----[ ssh-agent(1) ]
| There are two main ways to get an agent set up: [...] The second is that
| the agent prints the needed shell commands (either sh(1) or csh(1)
| syntax can be generated) which can be evalled in the calling shell, eg
| eval ssh-agent -s for Bourne-type shells such as sh(1) or ksh(1) and
| eval ssh-agent -c for csh(1) and derivatives.
`----

Regards,
Andrei
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)