[systemd-devel] systemd + ssh-agent

Dan Tihelka dtihelka at gmail.com
Mon Feb 18 12:49:20 PST 2013 

Hello,

from time to time I must connect through ssh to mu work desktop and make some 
synchronization, which requires ssh key-based authentication (so ssh from home 
to work desktop, followed by ssh from desktop to another server, e.g. svn).

What I was faced is the inability to use ssh-agent when logged through ssh, 
since the SSH_AUTH_SOCK is not defined, and thus I must re-type the password 
several times, which is really annoying ...

The problem is that ssh-agent must be started in user-session in place where 
SSH_AUTH_SOCK env variable is exported to all child processes (in ARCH case it 
is /etc/kde/env/ssh-agent-startup.sh script called somewhere during KDE 
start). And of course, the ssh daemon is not started as the part of this 
startup, so the env variable is not defined ...

So I have made the following hack:

1)
define SSH_AUTH_SOCK  DEFAULT=\${HOME}/.ssh/ssh-agent
in /etc/security/pam_env.conf file

2)
modify /etc/kde/startup/agent-startup.sh/ to start ssh-agent like:
if [ -x /usr/bin/ssh-agent ]; then
    /usr/bin/ssh-agent -s -a $(eval echo $SSH_AUTH_SOCK)
fi

3)
modify ~/.bashrc to resolve the variable:

export SSH_AUTH_SOCK=$(eval echo $SSH_AUTH_SOCK)


In this way, the ssh-agent is started during KDE startup, listening on the 
required socket, and the socket is defined for ssh sessions as well, tanks to 
pam_env module.

I think that now it should be rather easy to create the user-specific systemd 
service joined with socket-based authentication to stat ssh-agent 
automatically on demand, no matter if invoked from ssh session or from desktop 
itself (however I did not try it yet ...).

BUT. 

Although this solution is working, it is not very easy to configure it. Also, 
there is a "danger" that if the ssh-agent startup fail, the SSH_AUTH_SOCK env 
will be defined anyway - this is also not very nice ...

And of course, the same (similar) is valid for gpg-agent ...


So I would like to ask, if this situation has been thought about and if here 
is an easier and more straightforward solution to achieve it. I think that the 
main problem is in passing env variables (or any other kind of setting ??) 
through various services of the same user, but not having the same parent 
(except init itself). It would be great to hear that you have an idea of 
making this work in easy-to-configure and reliable way, while allowing to use 
all the cool systemd abilities :-).


Thank you very much,
Dan T.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20130218/0a8e773e/attachment.pgp>

More information about the systemd-devel mailing list