On May 28, 2006, at 11:21 AM, Kevin O'Gorman wrote:
> On 5/27/06, John Jolet <[EMAIL PROTECTED]> wrote:
> That does not work for ssh/scp sessions. I usually test $PS1 to tell
> > if it's really a shell -- the variable does not even exist for an
> > scp session,
> > although .bashrc gets called.
> can you give us an example of what your .bashrc looks like?
>
> Well, the whole thing is kinda long, but the part I was fooling
> with lately
> now looks like this, and partly automates the use of ssh-agent for my
> (very frequent) use of ssh from home to some machines at work. The
> problem was probably either the "echo" commands or that this actually
> proceeds within a subshell.
>
>
> if [ "x" != "x$PS1" ] ; then
> SHELL_LOGIN=1
> else
> # Probably scp; empty string is false
> SHELL_LOGIN=
> fi
>
> if [ -n "$SHELL_LOGIN" ]
> then
> if [ -z "$SSH_AGENT_PID" ]
> then
> # not yet running in ssh-agent
> ssh-agent /bin/bash
> r=$?
> echo Done with ssh-agent
> sleep 1
> exit $r
> else
> # this is an ssh-agent subshell
> echo You may want to run ssh-add.
> fi
> fi
>
> --
> Kevin O'Gorman, PhD
well, you could comment out the "echo" commands and try it.
personally, I try to stay away from things happening automatically
for me. just my preference. I would rename .bashrc to something
else, like old.bashrc and do the scp and see if that works.
depending on what your needs are, you could also add a second user
with the same uid, but a different home directory and use that other
user for scp..... shrug. not a big fan of ssh_agent (or anything
that caches credentials).
Sorry, I didn't make myself clear. PROBLEM SOLVED, and the .bashrc
I quoted works fine. What I had to do was create the SHELL_LOGIN
variable, and use it to protect the code that interfered with scp.
I normally don't use that kind of automation either, but for security reasons
I use a passphrase on my ssh identity, and it's long. Typing it a lot
got real old, so I started using ssh_agent, but I use it in a lot of windows,
so I'm just trying to balance convenience and security. Some days
I do 20 or more scp operations.
That's the usual balancing act -- if it's too inconvenient, I'll ditch the
security and hope for the best. So this is what I came up with.
What I'd really like is a way to get this set up when I log into KDE,
so that all the windows I open under that login have an agent. I'm not
worried about physical security on this system, but the possibility of
a hacker break-in giving automatic access to other hosts. Thus the
long passphrase on my private keyrings.
I was also reluctant to use ssh-agent, but on reflection I don't see a
real vulnerability. I use it on my home system, which is not exposed
to others in the usual course of things. If somebody steals the computer,
the loss of power un-caches the credentials, so I'm only vulnerable to
someone physically sneaking in to *use* my computer and finding
me logged in. Very unlikely, because when I leave the house I'm either
logged off or my session is locked. I'm simply not a big enough fish
for it to be reasonable anyone would do this.
Of course, security issues are always a balancing act and you may
figure the balance however you like.
++ kevin
--
Kevin O'Gorman, PhD
