Re: ssh-agent and /tmp/ssh-* removal at logout

Wed, 23 Feb 2005 16:22:03 -0800 



From: Jim Kleckner
Subject: Re: ssh-agent and /tmp/ssh-* removal at logout
Date: Wed, 23 Feb 2005 15:04:46 -0800

Karl M wrote:

From: Jim Kleckner
Subject: ssh-agent and /tmp/ssh-* removal at logout
Date: Wed, 23 Feb 2005 06:18:50 -0800

ssh-agent leaves stale directories named /tmp/ssh-xxxx
that contain the named pipe for authentication.
These left over directories come about when you log out
or shut down the computer without stopping ssh-agent
either by running keychain to shut it down or sending it
a SIGHUP to exit and clean up.

Could ssh-agent catch the shutdown message and thus
do the proper cleanup?  What would that entail?

Jim

I noticed that in Karl's script to start keychain:
 http://sourceware.org/ml/cygwin/2004-03/msg00167.html
that he removes any /tmp/ssh-* pre-existing and presumed
stale directories left over by dead ssh-agent processes
and this assumes that there is only one ssh-agent per machine.
Not as good as actually getting rid of the source of the
zombie directories.

Actually, it does not assume that there is only one ssh-agent process per machine. I routinely use it with ssh-agents processes for multiple users. The files for other users are protected so that they can not be deleted. Thus, only the current user's tmp files are deleted.

I'm in the process of doing some clean-up work and trying out keychain 2.5.1. I am also adding ${HOSTNAME}.cmd file creation for use with Windows shell scripts. If there is interest, perhaps I should offer to maintain keychain, with additional support for launching it from a service. Launching keychain from a service allows the ssh-agent process to survive logout, so you only type a passphrase once per reboot instead of once per login.

Thanks,

...Karl 

Ah, I see.  I had assumed that persons logged in with Administrator
privileges would blow them all away.

Having the service seems like a nice arrow in the quiver.

I don't think I would want my personal keyring to persist
across my sessions, though.  Kind of like leaving the key
in the car ignition while parked.  I can see that it could be
useful for daemon processes though.

Jim

I use it that way all the time, but I also have a password on my screensaver. So I have a good tradeoff between security and convenience.

Thanks,

...Karl



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Reply via email to