Gordon Messmer wrote: > On 12/21/2010 10:49 AM, m.roth at 5-cent.us wrote: >> Gordon Messmer wrote: >>> On 12/17/2010 12:32 PM, m.roth at 5-cent.us wrote: >>>> >>>> Not with PIV-II cards.... >>> >>> Why? Do they use a non-standard SSH agent? >> >> pkcs11. opensc. NOT COOLKEY. > > I'm not really sure what that has to do with anything. You said that > you're having trouble getting ssh-agent to close on logout. I replied > that you're probably trying too hard. Fedora's desktops automatically > have an ssh-agent available when you log in via gdm. In the past, it > was OpenSSH's ssh-agent. In more recent versions, gnome has its own > authentication agent, which is used. Right, which AFAIK, doesn't work with the new US federal PIV-II cards. Certainly, I can't add the card when it's inserted in the reader with just that. > > So I'll repeat myself: if you are seeing ssh-agent continue after you > log out, you're probably trying too hard. Setting the agent up and > tearing it down on logout are done for you right out of the box, and > have been for years. Log in to a new user account on a fresh install > sometime. Open a terminal and type "set | grep SSH_AUTH_SOCK". See > that environment variable? The agent is running. I'll check his box again, when I get a chance. But as I said, it wasn't willing to accept the card with ssh-add -s pkcs11, or ssh-add -s opensc-pkcs11.so mark