Ssh – technical reason why ssh-agent lacks a sudo-like inactivity/idle timeout feature

key-authenticationSecuritysshssh-agent

There are some brief discussions about the existing ssh-agent -t feature at [1], and there was a post as far back as 2001 on debian-devel [2] wishing for an inactivity timeout feature. There's a similar discussion here on SE [3] for pageant.

I have to wonder how the rest of the planet is protecting ssh keys – am I missing something obvious for this to be such a pain point for me, and apparently nobody else? Specifically I'm thinking of scripted ssh interactions, such as with ansible. It seems that today, your choices are:

Set the lifetime of your key in the agent to a worryingly long period of time, Eg. 1h or whatever the maximum running time of your scripts may happen to be (I doubt many people allow their sudo re-auth timeout to stretch that long!) – but seahorse/gnome-keyring-daemon barely even support this much [4]
Babysit your long-running scripts and keep re-entering your passphrase every 5/10/15 minutes: now you can be easily watched entering your passphrase 20 times a day
Hack your own home-brew solution to mimic this missing feature, perhaps in conjunction with your shell's TMOUT shell var (thanks folks on freenode #openssh IRC for that suggestion)
Don't have a key lifetime set at all, i.e. your agent keeps your key loaded forever or until you kill/reboot

If you're using brief ssh agent timeouts, strong passphrases, and different keyfiles for each type of role you authenticate as: this leads to a very frustrating day!

I've experimented with gpgkey2ssh and smartcards, but this doesn't really solve this particular issue: I still want ssh-agent functionality and I don't want to have to re-auth every 5 minutes just to prevent my private keys being exposed in memory while my computer is idle.

Am I doing it wrong?

[1] Configuring the default timeout for the SSH agent

[2] https://lists.debian.org/debian-devel/2001/09/msg00851.html

[3] https://serverfault.com/questions/518312/putty-pageant-forget-keys-after-period-of-inactivity

[4] https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/129231

Best Answer

If this concerns you then you can easily use the xscreensaver-command -watch interface to run ssh-add -D when the screen is locked. Check the man page for a very simple example.

Related Solutions

Ssh – Configuring the default timeout for the SSH agent

AFAIK, there is no configuration in sshd_config or ssh_config to specify the time out for ssh-agent. From openssh source code, file ssh-agent.c:

/* removes expired keys and returns number of seconds until the next expiry */  
static time_t                                                                   
reaper(void)                                                                    
{                                                                               
    time_t deadline = 0, now = monotime();                                      
    Identity *id, *nxt;                                                         
    int version;                                                                
    Idtab *tab;                                                                 

    for (version = 1; version < 3; version++) {                                 
        tab = idtab_lookup(version);                                            
        for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) {                    
            nxt = TAILQ_NEXT(id, next);                                         
            if (id->death == 0)                                                 
                continue;                                                       
            if (now >= id->death) {                                             
                debug("expiring key '%s'", id->comment);                        
                TAILQ_REMOVE(&tab->idlist, id, next);                           
                free_identity(id);                                              
                tab->nentries--;                                                
            } else                                                              
                deadline = (deadline == 0) ? id->death :                        
                    MIN(deadline, id->death);                                   
        }                                                                       
    }                                                                           
    if (deadline == 0 || deadline <= now)                                       
        return 0;                                                               
    else                                                                        
        return (deadline - now);                                                
}

And in process_add_identity function:

process_add_identity(SocketEntry *e, int version)                               
{
.... 
if (lifetime && !death)                                                     
        death = monotime() + lifetime;
....
}

lifetime is a global variable and only change value when parsing argument:

/* Default lifetime in seconds (0 == forever) */                                
static long lifetime = 0;

int                                                                             
main(int ac, char **av)                                                         
{
.... 
    case 't':                                                               
        if ((lifetime = convtime(optarg)) == -1) {                          
            fprintf(stderr, "Invalid lifetime\n");                          
            usage();                                                        
        }
....
}

If you use Ubuntu, you can set default options for ssh-agent in /etc/X11/Xsession.d/90x11-common_ssh-agent:

STARTSSH=
SSHAGENT=/usr/bin/ssh-agent
SSHAGENTARGS="-t 1h"

if has_option use-ssh-agent; then
  if [ -x "$SSHAGENT" ] && [ -z "$SSH_AUTH_SOCK" ] \
     && [ -z "$SSH2_AUTH_SOCK" ]; then
    STARTSSH=yes
    if [ -f /usr/bin/ssh-add1 ] && cmp -s $SSHAGENT /usr/bin/ssh-agent2; then
      # use ssh-agent2's ssh-agent1 compatibility mode
      SSHAGENTARGS=-1
    fi
  fi
fi

if [ -n "$STARTSSH" ]; then
  STARTUP="$SSHAGENT $SSHAGENTARGS ${TMPDIR:+env TMPDIR=$TMPDIR} $STARTUP"
fi

SSH – How to Get Asked for SSH Key Passphrase Once and Only When Needed

Don't add anything to any of your shell startup scripts, this is unnecessary hackery.

Instead, add

AddKeysToAgent yes

to your .ssh/config

Like this, ssh-add is run automatically the first time you ssh into another box. You only have to re-enter your key when it expires from ssh-agent or after you reboot.

Best Answer

Related Solutions

Ssh – Configuring the default timeout for the SSH agent

SSH – How to Get Asked for SSH Key Passphrase Once and Only When Needed

Related Question