blog.rk0.eu

☰ Menu

SSH-Agent

Motivation

Setting up an SSH Key without a password can be pretty dangerous. It only takes an USB Stick or a bad idea and your whole SSH Logins, Git Account and many other things are compromised. So using a passphrase for the ssh key should be pretty much standard.

But it is annoying to type the password every time the key gets used. In this short blogpost i want to write down what you can do to make it a little bit more convenient for a reasonable price.

Using the SSH-Agent

The SSH Agent Socket is used to store the unlocked SSH-Session. You can usually archive this by running eval $(ssh-agent -s) so running the output of ssh-agent -s in the shell. Under the hood this sets the SSH_AUTH_SOCK Variable. This only affects the current shell session and creates a socket in /tmp - so the agent is “empty”

If you add the eval $(ssh-agent -s) into the bash or zsh config a new socket gets created in every new shell (or when resourcing your shell config.

But for now the ssh-agent is empty, you need to add your key into the socket.

Adding a key to the Agent

Adding the key to the socket is pretty easy: run ssh-add and unlock your key. Congrats! You can now run any ssh Command inside this shell

If you want to run ssh-add automatically when you use the ssh key for the first time in the session, you can edit your ~/.ssh/config file:

echo "AddKeysToAgent yes" >> ~/.ssh/config

Using a global ssh-agent socket

I usually use tmux inside my terminal emulator and spawn a lot of temporary Shell sessions. Sometimes i have up to 10 panes across all windows and sessions. So the temporary Agent Socket approach has little improvement to me.

But there is a solution to use a more “permanent” (To the System login session) solution. Setting the SSH_AUTH_SOCK inside the $XDG_RUNTIME_DIR. A pretty common approach to archive this is by creating a systemd user daemon like this at: ~/.config/systemd/user/ssh-agent.service

[Unit]
Description=SSH agent

[Service]
Type=simple
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK

[Install]
WantedBy=default.target

Once created, run the following commands:

systemctl --user daemon-reload
systemctl --user enable ssh-agent

And after the next reboot the systemd unit should automatically create a ssh-agent socket at $XDG_RUNTIME_DIR/ssh-agent.socket

So you only need to set your SSH_AUTH_SOCK variable to $XDG_RUNTIME_DIR/ssh-agent.socket (maybe extend $XDG_RUNTIME_DIR inside your config to make it more robust. For example: /run/user/1000) You can set this inside your Shell config like previously. Or if you want to make this global inside .profile or even in ~/.config/environment.d/ssh-config.conf like this:

SSH_AUTH_SOCK="${XDG_RUNTIME_DIR}/ssh-agent.socket"

And reboot.

Check if the environment variable is loaded correctly with echo $SSH_AUTH_SOCK

You can now add the ssh-key to the agent and it should stay until your next login. Or configure your ~/.ssh/config like we did previously to automatically add once used.