Yesterday or Friday, don't remember, I happened to be looking at my processes on my machine, and discovered I had a number of ssh-agents running (all mine), from different days. I killed all but the current day's.
Now, I log out every single night.
I checked the next day, and sure enough, the one I started the previous day was still running, and I could not only use ssh-add, and it worked. I didn't think of it this morning until just now, but tomorrow I'll log back in, and see if I even need to use ssh-add.
If this is the case, I am not happy. This is, to me, a security hole, and *not* what I expected, nor what the man page seems to lead me to believe.
Bug?
mark
On Tue, 2010-04-06 at 09:57 -0400, m.roth@5-cent.us wrote:
Yesterday or Friday, don't remember, I happened to be looking at my processes on my machine, and discovered I had a number of ssh-agents running (all mine), from different days. I killed all but the current day's.
Now, I log out every single night.
I checked the next day, and sure enough, the one I started the previous day was still running, and I could not only use ssh-add, and it worked. I didn't think of it this morning until just now, but tomorrow I'll log back in, and see if I even need to use ssh-add.
If this is the case, I am not happy. This is, to me, a security hole, and *not* what I expected, nor what the man page seems to lead me to believe.
Bug?
mark
I think that you may want some additional documentation on the use of ssh and ssh-agent. Try this link ( read all three parts of the article ) and re-evaluate your conclusions.
http://www-106.ibm.com/developerworks/library/l-keyc.html
I have been using the keychain utility referenced in this series for several years now, and I'm pretty happy with it. As always, YMMV.
Ron wrote:
On Tue, 2010-04-06 at 09:57 -0400, m.roth@5-cent.us wrote:
Yesterday or Friday, don't remember, I happened to be looking at my processes on my machine, and discovered I had a number of ssh-agents running (all mine), from different days. I killed all but the current day's.
Now, I log out every single night.
I checked the next day, and sure enough, the one I started the previous day was still running, and I could not only use ssh-add, and it worked. I didn't think of it this morning until just now, but tomorrow I'll log back in, and see if I even need to use ssh-add.
If this is the case, I am not happy. This is, to me, a security hole, and *not* what I expected, nor what the man page seems to lead me to believe.
Bug?
I think that you may want some additional documentation on the use of ssh and ssh-agent. Try this link ( read all three parts of the article ) and re-evaluate your conclusions.
http://www-106.ibm.com/developerworks/library/l-keyc.html
I have been using the keychain utility referenced in this series for several years now, and I'm pretty happy with it. As always, YMMV.
Let's try again, since, having skimmed your link, it seems to me that you don't understand my problem.
What I was doing: log onto my machine (system run level 5, I log out, NOT just lock the screen, every single night; therefore, there should be no processes running owned by me), and in a terminal window, do ssh-agent ssh-add .ssh/private key and enter my passphrase. Then I'd go through the day merrily on my way.
Now, I find that when I log out, ssh-agent IS NOT STOPPED, even though I am logged all the way out. When I log out, unless I background something, everything running as me should go away. Everything.
What I will try tomorrow, or maybe, if I get real enthused, later today, is to see if, after logging all the way out, then logging back in, whether ssh-agent has retained the ssh key that I added in the last session. If so, I *will* call this an important security hole, since in the unlikely event that someone manages to crack into my account (I lock the screen, per division rules, when I walk out of the office, so they can't just sit down at my desk), they could get to every other machine without so much as a by-your-leave, with no passwords.
Now is this clearer?
mark
m.roth@5-cent.us wrote, On 04/06/2010 10:51 AM:
What I was doing: log onto my machine (system run level 5, I log out, NOT just lock the screen, every single night; therefore, there should be no processes running owned by me), and in a terminal window, do ssh-agent ssh-add .ssh/private key and enter my passphrase. Then I'd go through the day merrily on my way.
Now, I find that when I log out, ssh-agent IS NOT STOPPED, even though I am logged all the way out. When I log out, unless I background something, everything running as me should go away. Everything.
What I will try tomorrow, or maybe, if I get real enthused, later today, is to see if, after logging all the way out, then logging back in, whether ssh-agent has retained the ssh key that I added in the last session. If so, I *will* call this an important security hole, since in the unlikely event that someone manages to crack into my account (I lock the screen, per division rules, when I walk out of the office, so they can't just sit down at my desk), they could get to every other machine without so much as a by-your-leave, with no passwords.
I believe you can specify to agent that it should forget what it knows after a specified time period, at least when you are firing up the agent.
Now is this clearer?
question: if you don't start ssh-agent in your terminal do you see something like the following with ps?
~$ ps aux |grep agent uname 12345 0.0 0.1 8916 3608 ? Ss 09:12 0:00 /usr/bin/ssh-agent /bin/sh -c exec -l /bin/bash -c "/usr/bin/dbus-launch --exit-with-session /etc/X11/xinit/Xclients"
gdm (run level 5) starts that for you automatically and puts the appropriate variables in the environment.
I don't think I had to do anything special at install time to have gdm kick that off as I log in.
This instance does end with the end of my sessions.
Hope that helps.
Todd wrote:
m.roth@5-cent.us wrote, On 04/06/2010 10:51 AM:
What I was doing: log onto my machine (system run level 5, I log out, NOT just lock the screen, every single night; therefore, there should be no processes running owned by me), and in a terminal window, do ssh-agent ssh-add .ssh/private key and enter my passphrase. Then I'd go through the day merrily on my way.
Now, I find that when I log out, ssh-agent IS NOT STOPPED, even though I am logged all the way out. When I log out, unless I background something, everything running as me should go away. Everything.
<snip>
question: if you don't start ssh-agent in your terminal do you see something like the following with ps?
~$ ps aux |grep agent uname 12345 0.0 0.1 8916 3608 ? Ss 09:12 0:00 /usr/bin/ssh-agent /bin/sh -c exec -l /bin/bash -c "/usr/bin/dbus-launch --exit-with-session /etc/X11/xinit/Xclients"
Yep - ps -fu <mylogin> | grep ssh <mylogin> 13313 1 0 Apr02 ? 00:00:00 ssh-agent <mylogin> 18049 18019 0 09:09 ? 00:00:00 /usr/bin/ssh-agent /bin/sh -c exec -l /bin/bash -c "/usr/bin/dbus-launch --exit-with-session /etc/X11/xinit/Xclients" <snip> 9:09 or so was when I used ssh-add. Note that ssh-agent has been running since the second, and I logged out Friday and yesterday.
mark
On 4/6/2010 10:46 AM, m.roth@5-cent.us wrote:
Todd wrote:
m.roth@5-cent.us wrote, On 04/06/2010 10:51 AM:
What I was doing: log onto my machine (system run level 5, I log out, NOT just lock the screen, every single night; therefore, there should be no processes running owned by me), and in a terminal window, do ssh-agent ssh-add .ssh/private key and enter my passphrase. Then I'd go through the day merrily on my way.
Now, I find that when I log out, ssh-agent IS NOT STOPPED, even though I am logged all the way out. When I log out, unless I background something, everything running as me should go away. Everything.
<snip> > question: > if you don't start ssh-agent in your terminal do you see something like > the following with ps? > > ~$ ps aux |grep agent > uname 12345 0.0 0.1 8916 3608 ? Ss 09:12 0:00 > /usr/bin/ssh-agent /bin/sh -c exec -l > /bin/bash -c "/usr/bin/dbus-launch --exit-with-session > /etc/X11/xinit/Xclients"
Yep - ps -fu<mylogin> | grep ssh <mylogin> 13313 1 0 Apr02 ? 00:00:00 ssh-agent <mylogin> 18049 18019 0 09:09 ? 00:00:00 /usr/bin/ssh-agent /bin/sh -c exec -l /bin/bash -c "/usr/bin/dbus-launch --exit-with-session /etc/X11/xinit/Xclients"
<snip> 9:09 or so was when I used ssh-add. Note that ssh-agent has been running since the second, and I logged out Friday and yesterday.
So you have 2 different instances running?
On 4/6/2010 10:46 AM, m.roth@5-cent.us wrote:
Todd wrote:
m.roth@5-cent.us wrote, On 04/06/2010 10:51 AM:
What I was doing: log onto my machine (system run level 5, I log out, NOT just lock the screen, every single night; therefore, there should be no processes running owned by me), and in a terminal window, do ssh-agent ssh-add .ssh/private key and enter my passphrase. Then I'd go through the day merrily on my way.
Now, I find that when I log out, ssh-agent IS NOT STOPPED, even though
<snip> > question: > if you don't start ssh-agent in your terminal do you see something like > the following with ps?
<snip>
ps -fu<mylogin> | grep ssh <mylogin> 13313 1 0 Apr02 ? 00:00:00 ssh-agent <mylogin> 18049 18019 0 09:09 ? 00:00:00 /usr/bin/ssh-agent /bin/sh -c exec -l /bin/bash -c "/usr/bin/dbus-launch --exit-with-session /etc/X11/xinit/Xclients"
<snip> 9:09 or so was when I used ssh-add. Note that ssh-agent has been running since the second, and I logged out Friday and yesterday.
So you have 2 different instances running?
Y'know, that's an interesting question, and one I didn't think of. Thing is, I did *not* run ssh-agent when I was logging on this morning, *all* I did was ssh-add. Checking my history, I'm sure of this course of events. I just grepped, as well, and nothing in my . files runs it, nor does anything in /etc/profile or /etc/profile.d.
mark
On 4/6/2010 10:46 AM, m.roth@5-cent.us wrote:
Todd wrote:
m.roth@5-cent.us wrote, On 04/06/2010 10:51 AM:
What I was doing: log onto my machine (system run level 5, I log out, NOT just lock the screen, every single night; therefore, there should be no processes running owned by me), and in a terminal window, do ssh-agent ssh-add .ssh/private key and enter my passphrase. Then I'd go through the day merrily on my way.
Now, I find that when I log out, ssh-agent IS NOT STOPPED, even though
<snip> >> ps -fu<mylogin> | grep ssh >> <mylogin> 13313 1 0 Apr02 ? 00:00:00 ssh-agent >> <mylogin> 18049 18019 0 09:09 ? 00:00:00 /usr/bin/ssh-agent >> /bin/sh -c exec -l /bin/bash -c "/usr/bin/dbus-launch >> --exit-with-session >> /etc/X11/xinit/Xclients" >> <snip> >> 9:09 or so was when I used ssh-add. Note that ssh-agent has been >> running >> since the second, and I logged out Friday and yesterday. > > So you have 2 different instances running?
Y'know, that's an interesting question, and one I didn't think of. Thing is, I did *not* run ssh-agent when I was logging on this morning, *all* I did was ssh-add. Checking my history, I'm sure of this course of events. I just grepped, as well, and nothing in my . files runs it, nor does anything in /etc/profile or /etc/profile.d.
Following myself up, see it *mentioned*, in comments, in /usr/bin/startkde, but that's for startx, not if you're running in level 5.
Oh, and the man page for ssh-agent reads, as the last line before "Files": "The agent exits automatically when the command given on the command line terminates." Which means, to me, that when the xterm that I started it in is closed, it should end, unless there's some interpretation other than plain English there.
mark
m.roth@5-cent.us wrote:
Oh, and the man page for ssh-agent reads, as the last line before "Files": "The agent exits automatically when the command given on the command line terminates." Which means, to me, that when the xterm that I started it in is closed, it should end, unless there's some interpretation other than plain English there.
That's assuming that you gave it a command when you started it. If you look earlier in the file, it specifies:
"If a commandline is given, this is executed as a subprocess of the agent. When the command dies, so does the agent."
If you don't specify a command when you start ssh-agent, it will just run until you kill it.
On 4/6/2010 11:56 AM, m.roth@5-cent.us wrote:
On 4/6/2010 10:46 AM, m.roth@5-cent.us wrote:
Todd wrote:
m.roth@5-cent.us wrote, On 04/06/2010 10:51 AM:
What I was doing: log onto my machine (system run level 5, I log out, NOT just lock the screen, every single night; therefore, there should be no processes running owned by me), and in a terminal window, do ssh-agent ssh-add .ssh/private key and enter my passphrase. Then I'd go through the day merrily on my way.
Now, I find that when I log out, ssh-agent IS NOT STOPPED, even though
<snip> >> ps -fu<mylogin> | grep ssh >> <mylogin> 13313 1 0 Apr02 ? 00:00:00 ssh-agent >> <mylogin> 18049 18019 0 09:09 ? 00:00:00 /usr/bin/ssh-agent >> /bin/sh -c exec -l /bin/bash -c "/usr/bin/dbus-launch >> --exit-with-session >> /etc/X11/xinit/Xclients" >> <snip> >> 9:09 or so was when I used ssh-add. Note that ssh-agent has been >> running >> since the second, and I logged out Friday and yesterday. > > So you have 2 different instances running?
Y'know, that's an interesting question, and one I didn't think of. Thing is, I did *not* run ssh-agent when I was logging on this morning, *all* I did was ssh-add. Checking my history, I'm sure of this course of events. I just grepped, as well, and nothing in my . files runs it, nor does anything in /etc/profile or /etc/profile.d.
Following myself up, see it *mentioned*, in comments, in /usr/bin/startkde, but that's for startx, not if you're running in level 5.
Oh, and the man page for ssh-agent reads, as the last line before "Files": "The agent exits automatically when the command given on the command line terminates." Which means, to me, that when the xterm that I started it in is closed, it should end, unless there's some interpretation other than plain English there.
You are reading plain english backwards. If you give ssh-agent a command to run on the command line it exits when the command finishes. You didn't give it a command so it became a daemon (which you can see in the ps because the parent pid is 1) and will run until something kills it. But, you don't have to start one at all because normal X startup will do it for you - and correctly. You only need to run ssh-add.
On 4/6/2010 11:56 AM, m.roth@5-cent.us wrote:
On 4/6/2010 10:46 AM, m.roth@5-cent.us wrote:
Todd wrote:
m.roth@5-cent.us wrote, On 04/06/2010 10:51 AM: > What I was doing: log onto my machine (system run level 5, I log > out, NOT just lock the screen, every single night; therefore, there > should be no processes running owned by me), and in a terminal
window, do <snip>
it. But, you don't have to start one at all because normal X startup will do it for you - and correctly. You only need to run ssh-add.
"Normal X startup" - do you mean login, in runlevel 5, or do you mean runlevel 3, and startx?
mark
m.roth@5-cent.us wrote, On 04/06/2010 01:22 PM:
On 4/6/2010 11:56 AM, m.roth@5-cent.us wrote:
On 4/6/2010 10:46 AM, m.roth@5-cent.us wrote:
Todd wrote: > m.roth@5-cent.us wrote, On 04/06/2010 10:51 AM: >> What I was doing: log onto my machine (system run level 5, I log >> out, NOT just lock the screen, every single night; therefore, there >> should be no processes running owned by me), and in a terminal
window, do
<snip> > it. But, you don't have to start one at all because normal X startup > will do it for you - and correctly. You only need to run ssh-add.
"Normal X startup" - do you mean login, in runlevel 5, or do you mean runlevel 3, and startx?
mark
from my other email... 12) ... i.e. understand /etc/X11/xinit/xinitrc-common kicks it off for you. ... in runlevel 5, not sure if it does so in any other runlevel.
On 4/6/2010 12:22 PM, m.roth@5-cent.us wrote:
On 4/6/2010 11:56 AM, m.roth@5-cent.us wrote:
On 4/6/2010 10:46 AM, m.roth@5-cent.us wrote:
Todd wrote: > m.roth@5-cent.us wrote, On 04/06/2010 10:51 AM: >> What I was doing: log onto my machine (system run level 5, I log >> out, NOT just lock the screen, every single night; therefore, there >> should be no processes running owned by me), and in a terminal
window, do
<snip> > it. But, you don't have to start one at all because normal X startup > will do it for you - and correctly. You only need to run ssh-add.
"Normal X startup" - do you mean login, in runlevel 5, or do you mean runlevel 3, and startx?
These are both infinitely configurable, but I think the defaults end up running /etc/X11/xinit/xinitrc or /etc/X11/xinit/Xsession any way you do it. So the answer is yes.
On 4/6/2010 12:22 PM, m.roth@5-cent.us wrote:
On 4/6/2010 11:56 AM, m.roth@5-cent.us wrote:
On 4/6/2010 10:46 AM, m.roth@5-cent.us wrote: > Todd wrote: >> m.roth@5-cent.us wrote, On 04/06/2010 10:51 AM: >>> What I was doing: log onto my machine (system run level 5, I log >>> out, NOT just lock the screen, every single night; therefore, >>> there should be no processes running owned by me), and in a >>> terminal window, do
<snip> > it. But, you don't have to start one at all because normal X startup > will do it for you - and correctly. You only need to run ssh-add.
"Normal X startup" - do you mean login, in runlevel 5, or do you mean runlevel 3, and startx?
These are both infinitely configurable, but I think the defaults end up running /etc/X11/xinit/xinitrc or /etc/X11/xinit/Xsession any way you do it. So the answer is yes.
So, if I'm in runlevel 5, login should start it, correct?
Except that the more I think about it, the more I'm back to my original problem: if it automagically starts it, why does it not automagically STOP it when I log out, the way it does every other of my processes, except for something I explicitly backgrounded (I mean, I remember when I had to nohup things like that)?
mark
On 4/6/2010 1:13 PM, m.roth@5-cent.us wrote:
On 4/6/2010 12:22 PM, m.roth@5-cent.us wrote:
On 4/6/2010 11:56 AM, m.roth@5-cent.us wrote:
> On 4/6/2010 10:46 AM, m.roth@5-cent.us wrote: >> Todd wrote: >>> m.roth@5-cent.us wrote, On 04/06/2010 10:51 AM: >>>> What I was doing: log onto my machine (system run level 5, I log >>>> out, NOT just lock the screen, every single night; therefore, >>>> there should be no processes running owned by me), and in a >>>> terminal window, do
<snip> > it. But, you don't have to start one at all because normal X startup > will do it for you - and correctly. You only need to run ssh-add.
"Normal X startup" - do you mean login, in runlevel 5, or do you mean runlevel 3, and startx?
These are both infinitely configurable, but I think the defaults end up running /etc/X11/xinit/xinitrc or /etc/X11/xinit/Xsession any way you do it. So the answer is yes.
So, if I'm in runlevel 5, login should start it, correct?
gdm, not login, but the same difference.
Except that the more I think about it, the more I'm back to my original problem: if it automagically starts it, why does it not automagically STOP it when I log out, the way it does every other of my processes, except for something I explicitly backgrounded (I mean, I remember when I had to nohup things like that)?
It does stop the one it starts. The one that is still running is the one you started some time ago (no arguments on the command line in ps).
On 4/6/2010 1:13 PM, m.roth@5-cent.us wrote:
On 4/6/2010 12:22 PM, m.roth@5-cent.us wrote:
On 4/6/2010 11:56 AM, m.roth@5-cent.us wrote:
>> On 4/6/2010 10:46 AM, m.roth@5-cent.us wrote: >>> Todd wrote: >>>> m.roth@5-cent.us wrote, On 04/06/2010 10:51 AM: >>>>> What I was doing: log onto my machine (system run level 5, I >>>>> log >>>>> out, NOT just lock the screen, every single night; therefore, >>>>> there should be no processes running owned by me), and in a >>>>> terminal window, do
<snip> > it. But, you don't have to start one at all because normal X > startup > will do it for you - and correctly. You only need to run ssh-add.
"Normal X startup" - do you mean login, in runlevel 5, or do you mean runlevel 3, and startx?
These are both infinitely configurable, but I think the defaults end up running /etc/X11/xinit/xinitrc or /etc/X11/xinit/Xsession any way you do it. So the answer is yes.
So, if I'm in runlevel 5, login should start it, correct?
gdm, not login, but the same difference.
Or rather, its equivalent, since I run KDE.
Except that the more I think about it, the more I'm back to my original problem: if it automagically starts it, why does it not automagically STOP it when I log out, the way it does every other of my processes, except for something I explicitly backgrounded (I mean, I remember when I had to nohup things like that)?
It does stop the one it starts. The one that is still running is the one you started some time ago (no arguments on the command line in ps).
Sorry, you missed the subject of that sentence - I meant, why does it not stop the one I explicitly started? Are you saying that ssh-agent, with no commands, implicitly backgrounds itself?
And, for the bigger picture, why should it? If I'm logging off, there's no reason for it to keep running. Any sessions that required it are either established, or shut down.
mark
On 4/6/2010 2:04 PM, m.roth@5-cent.us wrote:
Sorry, you missed the subject of that sentence - I meant, why does it not stop the one I explicitly started? Are you saying that ssh-agent, with no commands, implicitly backgrounds itself?
Yes, someone pointed out that the manual says exactly that a few times already.
And, for the bigger picture, why should it? If I'm logging off, there's no reason for it to keep running. Any sessions that required it are either established, or shut down.
That's one of the things it can do. If you don't like it, use some other option. I assume it can feed cron jobs and the like when you aren't logged in if you want - but I've always just made keys with no passphrase when I know the commands will be automated.
On 4/6/2010 2:04 PM, m.roth@5-cent.us wrote:
<snip>
And, for the bigger picture, why should it? If I'm logging off, there's no reason for it to keep running. Any sessions that required it are either established, or shut down.
That's one of the things it can do. If you don't like it, use some other option. I assume it can feed cron jobs and the like when you aren't logged in if you want - but I've always just made keys with no passphrase when I know the commands will be automated.
No passphrase? Then why use it?
At any rate, that's not going to happen here (or anywhere I've worked): even if I was willing to do that (which I'm not), none of my managers would have allowed it.
I use my passphrase every morning for the private key I use. But then, I log out at *home* every night, and the only living other creatures in my apt are the fish.... Paranoia about black bag jobs? Not for any good reason, but....
mark "and don't have t-bird save my password, either"
On 4/6/2010 2:34 PM, m.roth@5-cent.us wrote:
On 4/6/2010 2:04 PM, m.roth@5-cent.us wrote:
<snip> >> And, for the bigger picture, why should it? If I'm logging off, there's >> no reason for it to keep running. Any sessions that required it are >> either established, or shut down. > > That's one of the things it can do. If you don't like it, use some > other option. I assume it can feed cron jobs and the like when you > aren't logged in if you want - but I've always just made keys with no > passphrase when I know the commands will be automated.
No passphrase? Then why use it?
Because it's as safe as the physical security of the machine and the login of the user owning it.
At any rate, that's not going to happen here (or anywhere I've worked): even if I was willing to do that (which I'm not), none of my managers would have allowed it.
So how do they automate things? I want the computers to work for me, not the other way around.
On 4/6/2010 2:34 PM, m.roth@5-cent.us wrote:
On 4/6/2010 2:04 PM, m.roth@5-cent.us wrote:
<snip> >> And, for the bigger picture, why should it? If I'm logging off, >> there's no reason for it to keep running. Any sessions that required >> it are either established, or shut down. > > That's one of the things it can do. If you don't like it, use some > other option. I assume it can feed cron jobs and the like when you > aren't logged in if you want - but I've always just made keys with no > passphrase when I know the commands will be automated.
No passphrase? Then why use it?
Because it's as safe as the physical security of the machine and the login of the user owning it.
Um, wrong. I could log in from home, then, once I've established the credentials, ssh from there to anywhere in the system that I can get to. Everything's set up to not allow root login (except from the console itself), but....
At any rate, that's not going to happen here (or anywhere I've worked): even if I was willing to do that (which I'm not), none of my managers would have allowed it.
So how do they automate things? I want the computers to work for me, not the other way around.
ssh -A And as I said, unless I've explicitly backgrounded something, I expect *everything* that's running as me to shut down when I log out. Of course, I could set up a cron job, but anything that was associated with my login session should be turned down.
mark
If you log in on CentOS (or Ubuntu or anything Linux and modern) using a graphical console >>DO NOT START ssh-agent<<. The standard startup scripts run one for you, and when you log out it dies. I assume that's what you want.
The 'deamon' version is designed to run the following way in a .profile/.bash_profile:
eval `ssh-agent`
The output of ssh-agent is evaluated by the shell, which adds the right environment variables so ssh and ssh-add can find it. To kill it run "ssh-agent -k", which uses the environment variables to find the daemon and kill it.
Now if you just run 'ssh-agent' that does not happen, so that particular instance does not get used. Assuming you did the following:
1) just run plain "ssh-agent" (no eval) 2) run "ssh-add"
the agent that actually held your keys was started by some system script, and was terminated when you logged out, so there was no security issue. You just were creating unused agents to float around 'till reboot time.
I hope this cuts down some of the confusion.
Gé
m.roth@5-cent.us wrote, On 04/06/2010 11:46 AM:
Todd wrote:
m.roth@5-cent.us wrote, On 04/06/2010 10:51 AM:
What I was doing: log onto my machine (system run level 5, I log out, NOT just lock the screen, every single night; therefore, there should be no processes running owned by me), and in a terminal window, do ssh-agent ssh-add .ssh/private key and enter my passphrase. Then I'd go through the day merrily on my way.
Now, I find that when I log out, ssh-agent IS NOT STOPPED, even though I am logged all the way out. When I log out, unless I background something, everything running as me should go away. Everything.
<snip> > question: > if you don't start ssh-agent in your terminal do you see something like > the following with ps? > > ~$ ps aux |grep agent > uname 12345 0.0 0.1 8916 3608 ? Ss 09:12 0:00 > /usr/bin/ssh-agent /bin/sh -c exec -l > /bin/bash -c "/usr/bin/dbus-launch --exit-with-session > /etc/X11/xinit/Xclients"
Yep - ps -fu <mylogin> | grep ssh <mylogin> 13313 1 0 Apr02 ? 00:00:00 ssh-agent <mylogin> 18049 18019 0 09:09 ? 00:00:00 /usr/bin/ssh-agent /bin/sh -c exec -l /bin/bash -c "/usr/bin/dbus-launch --exit-with-session /etc/X11/xinit/Xclients"
<snip> 9:09 or so was when I used ssh-add. Note that ssh-agent has been running since the second, and I logged out Friday and yesterday.
mark
Suggestion to make everything even clearer.
1) either `killall -9 ssh-agent` or reboot. 2) logout (if not rebooted, so that _gdm_ restarts X) 3) login 4) Do *_NOT_* start ssh-agent in a terminal. 5) in a terminal execute `ps aux |grep agent` 6) record report 1 7) logout 8) login 9) Do *_NOT_* start ssh-agent in a terminal. 10) in a terminal execute `ps aux |grep agent` 11) record report 2 12) we should see ssh-agent is running in both cases, if your CentOS box is setup the way I think it is. i.e. understand /etc/X11/xinit/xinitrc-common kicks it off for you. 13) we should see a delta in the agent PID from report 1 to report 2. 14) we should see only one agent in both reports.
On Tue, Apr 6, 2010 at 7:51 AM, m.roth@5-cent.us wrote:
Now, I find that when I log out, ssh-agent IS NOT STOPPED, even though I am logged all the way out. When I log out, unless I background something, everything running as me should go away. Everything.
ssh-agent is designed to run in the manner of a daemon process, so that you can connect to it from multiple clients which may be associated with independent logins (or with no login at all).
A quick look at "man ssh-agent" would have told you several things:
(1) You can put a time limit on the life of identities added by ssh-add, by starting ssh-agent with the -t option. However, the default is forever.
(2) You can force ssh-agent to exit when you log out by arranging for "ssh-agent -k" to run. How this is accomplished depends on your login shell; "trap 'ssh-agent -k' EXIT" might be one way if there is no configuration file read at logout time.
(3) As Todd Denniston pointed out, running ssh-agent with a command to execute sets up the agent to exit when the command itself completes. As you're already starting ssh-agent by hand in a terminal window, that should be almost as easy as "exec ssh-agent $SHELL".
On Tue, 2010-04-06 at 08:15 -0700, Bart Schaefer wrote:
On Tue, Apr 6, 2010 at 7:51 AM, m.roth@5-cent.us wrote:
Now, I find that when I log out, ssh-agent IS NOT STOPPED, even though I am logged all the way out. When I log out, unless I background something, everything running as me should go away. Everything.
ssh-agent is designed to run in the manner of a daemon process, so that you can connect to it from multiple clients which may be associated with independent logins (or with no login at all).
How is that when it is not a true Service or Daemon? It does not clean up after itself.
IE,,Unclean logouts
A quick look at "man ssh-agent" would have told you several things:
(1) You can put a time limit on the life of identities added by ssh-add, by starting ssh-agent with the -t option. However, the default is forever.
(2) You can force ssh-agent to exit when you log out by arranging for "ssh-agent -k" to run. How this is accomplished depends on your login shell; "trap 'ssh-agent -k' EXIT" might be one way if there is no configuration file read at logout time.
And man pages seem to specify the -k option to kill it, the half breed service.
(3) As Todd Denniston pointed out, running ssh-agent with a command to execute sets up the agent to exit when the command itself completes. As you're already starting ssh-agent by hand in a terminal window, that should be almost as easy as "exec ssh-agent $SHELL".
On Tue, 2010-04-06 at 10:51 -0400, m.roth@5-cent.us wrote:
Ron wrote:
On Tue, 2010-04-06 at 09:57 -0400, m.roth@5-cent.us wrote:
Yesterday or Friday, don't remember, I happened to be looking at my processes on my machine, and discovered I had a number of ssh-agents running (all mine), from different days. I killed all but the current day's.
Now, I log out every single night.
I checked the next day, and sure enough, the one I started the previous day was still running, and I could not only use ssh-add, and it worked. I didn't think of it this morning until just now, but tomorrow I'll log back in, and see if I even need to use ssh-add.
If this is the case, I am not happy. This is, to me, a security hole, and *not* what I expected, nor what the man page seems to lead me to believe.
Bug?
I think that you may want some additional documentation on the use of ssh and ssh-agent. Try this link ( read all three parts of the article ) and re-evaluate your conclusions.
http://www-106.ibm.com/developerworks/library/l-keyc.html
I have been using the keychain utility referenced in this series for several years now, and I'm pretty happy with it. As always, YMMV.
Let's try again, since, having skimmed your link, it seems to me that you don't understand my problem.
What I was doing: log onto my machine (system run level 5, I log out, NOT just lock the screen, every single night; therefore, there should be no processes running owned by me), and in a terminal window, do ssh-agent ssh-add .ssh/private key and enter my passphrase. Then I'd go through the day merrily on my way.
Now, I find that when I log out, ssh-agent IS NOT STOPPED, even though I am logged all the way out. When I log out, unless I background something, everything running as me should go away. Everything.
What I will try tomorrow, or maybe, if I get real enthused, later today, is to see if, after logging all the way out, then logging back in, whether ssh-agent has retained the ssh key that I added in the last session. If so, I *will* call this an important security hole, since in the unlikely event that someone manages to crack into my account (I lock the screen, per division rules, when I walk out of the office, so they can't just sit down at my desk), they could get to every other machine without so much as a by-your-leave, with no passwords.
Now is this clearer?
Yeah, I get it.
What you're missing, and as others have pointed out, AND as discussed in the link I sent you, is that ssh-agent is DESIGNED to be persistent by default. You are correct in your assertion that if someone gained access to your machine while ssh-agent is active, they would have the same access to remote systems as you do when you're sitting at the console. That's life on the Internet today.
Now, how well this meets your particular requirements is for you to decide. You are not REQUIRED to use ssh-agent, and there is considerable flexibility in how it can be configured and used. The ins and outs of those config options have to be evaluated in the context of your particular security environment.
My conclusion regarding ssh-agent and the behavior that you find disturbing gets the old programmer's lament: "It's NOT a bug, it's a feature!" and for a change, this statement is correct.
I encourage you to take the time to (re)read the link I sent you, slowly and carefully. That's what I had to do when I first found it, and when returning to it later on for enhancement of my ssh usage. I believe that it is DEFINITELY worth the effort.
mark
-
Bart Schaefer -
Bowie Bailey -
Gé Weijers -
JohnS -
Les Mikesell -
m.roth@5-cent.us -
Ron Loftin -
Todd Denniston