[CentOS] ssh-agent

Tue Apr 6 14:51:10 UTC 2010
m.roth at 5-cent.us <m.roth at 5-cent.us>

Ron wrote:
> On Tue, 2010-04-06 at 09:57 -0400, m.roth at 5-cent.us wrote:
>> Yesterday or Friday, don't remember, I happened to be looking at my
>> processes on my machine, and discovered I had a number of ssh-agents
>> running (all mine), from different days. I killed all but the current
>> day's.
>>
>> Now, I log out every single night.
>>
>> I checked the next day, and sure enough, the one I started the previous
>> day was still running, and I could not only use ssh-add, and it worked.
>> I didn't think of it this morning until just now, but tomorrow I'll log
>> back in, and see if I even need to use ssh-add.
>>
>> If this is the case, I am not happy. This is, to me, a security hole,
>> and *not* what I expected, nor what the man page seems to lead me to
>> believe.
>>
>> Bug?
>
> I think that you may want some additional documentation on the use of
> ssh and ssh-agent.  Try this link ( read all three parts of the
> article ) and re-evaluate your conclusions.
>
> http://www-106.ibm.com/developerworks/library/l-keyc.html
>
> I have been using the keychain utility referenced in this series for
> several years now, and I'm pretty happy with it.  As always, YMMV.

Let's try again, since, having skimmed your link, it seems to me that you
don't understand my problem.

What I was doing: log onto my machine (system run level 5, I log out, NOT
just lock the screen, every single night; therefore, there should be no
processes running owned by me), and in a terminal window, do
   ssh-agent
   ssh-add .ssh/private key
and enter my passphrase. Then I'd go through the day merrily on my way.

Now, I find that when I log out, ssh-agent IS NOT STOPPED, even though I
am logged all the way out. When I log out, unless I background something,
everything running as me should go away. Everything.

What I will try tomorrow, or maybe, if I get real enthused, later today,
is to see if, after logging all the way out, then logging back in, whether
ssh-agent has retained the ssh key that I added in the last session. If
so, I *will* call this an important security hole, since in the unlikely
event that someone manages to crack into my account (I lock the screen,
per division rules, when I walk out of the office, so they can't just sit
down at my desk), they could get to every other machine without so much as
a by-your-leave, with no passwords.

Now is this clearer?

          mark