Ssh – Detecting the remaining lifetime of an ssh-agent identity

opensshssh-agent

The ssh-add command lets you specify the lifetime of an identity being added to ssh-agent. For example, if I type

ssh-add -t 1h

the identify will expire after 1 hour. I can then list the identities currently represented by the agent using ssh-add -l.

Is there a way (other than recording information when I run the ssh-add command) to determine the remaining lifetime of an identity? If not, is there some security-related reason why there shouldn't be a way to get this information?

Best Answer

No, there is no interface in ssh-agent communication protocol to provide this information. It is used only when adding the key (constraint array), but this is not returned when you list the keys, as the PROTOCOL.agent page describes (there is only key blob and comment for each key).

Requiring this would probably require to change the protocol, which is a run for a long distance.

Related Solutions

Ssh – Configuring the default timeout for the SSH agent

AFAIK, there is no configuration in sshd_config or ssh_config to specify the time out for ssh-agent. From openssh source code, file ssh-agent.c:

/* removes expired keys and returns number of seconds until the next expiry */  
static time_t                                                                   
reaper(void)                                                                    
{                                                                               
    time_t deadline = 0, now = monotime();                                      
    Identity *id, *nxt;                                                         
    int version;                                                                
    Idtab *tab;                                                                 

    for (version = 1; version < 3; version++) {                                 
        tab = idtab_lookup(version);                                            
        for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) {                    
            nxt = TAILQ_NEXT(id, next);                                         
            if (id->death == 0)                                                 
                continue;                                                       
            if (now >= id->death) {                                             
                debug("expiring key '%s'", id->comment);                        
                TAILQ_REMOVE(&tab->idlist, id, next);                           
                free_identity(id);                                              
                tab->nentries--;                                                
            } else                                                              
                deadline = (deadline == 0) ? id->death :                        
                    MIN(deadline, id->death);                                   
        }                                                                       
    }                                                                           
    if (deadline == 0 || deadline <= now)                                       
        return 0;                                                               
    else                                                                        
        return (deadline - now);                                                
}

And in process_add_identity function:

process_add_identity(SocketEntry *e, int version)                               
{
.... 
if (lifetime && !death)                                                     
        death = monotime() + lifetime;
....
}

lifetime is a global variable and only change value when parsing argument:

/* Default lifetime in seconds (0 == forever) */                                
static long lifetime = 0;

int                                                                             
main(int ac, char **av)                                                         
{
.... 
    case 't':                                                               
        if ((lifetime = convtime(optarg)) == -1) {                          
            fprintf(stderr, "Invalid lifetime\n");                          
            usage();                                                        
        }
....
}

If you use Ubuntu, you can set default options for ssh-agent in /etc/X11/Xsession.d/90x11-common_ssh-agent:

STARTSSH=
SSHAGENT=/usr/bin/ssh-agent
SSHAGENTARGS="-t 1h"

if has_option use-ssh-agent; then
  if [ -x "$SSHAGENT" ] && [ -z "$SSH_AUTH_SOCK" ] \
     && [ -z "$SSH2_AUTH_SOCK" ]; then
    STARTSSH=yes
    if [ -f /usr/bin/ssh-add1 ] && cmp -s $SSHAGENT /usr/bin/ssh-agent2; then
      # use ssh-agent2's ssh-agent1 compatibility mode
      SSHAGENTARGS=-1
    fi
  fi
fi

if [ -n "$STARTSSH" ]; then
  STARTUP="$SSHAGENT $SSHAGENTARGS ${TMPDIR:+env TMPDIR=$TMPDIR} $STARTUP"
fi

SSH Agent Forwarding on server

It looks like you may not have actually added the key to the agent..

If your local workstation is Linux then there's likely an agent running as part of your session you can examine it's contents with ssh-add -l

If the key hasn't been added to the agent you can also add it with ssh-add

After that when you ssh to mysite.be you should be able to see the key fingerprint listed when you run ssh-add -l

Best Answer

Related Solutions

Ssh – Configuring the default timeout for the SSH agent

SSH Agent Forwarding on server

Related Question