Hi.. I've looked through all the documentation and searched numerous websites and I can't find any viable current way to cluster ssh-agents. The functionality gap I see is to allow a situation where 2 ssh-agents are running on 2 different trusted machines. If one of those machines goes down passwordless logins should be allowed to continue through the backup ssh-agent. And when the machine comes back up the newly restarted agent should be able to resync with the backup agent. This way 2 machines would have to go down before passwords would have to be re-entered. I'm wondering the implications of this kind of functionality and wondering if this were to be implemented would it be something the development team would be apt to consider for inclusion. Thanks, Garry -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 1834 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20081124/968cf834/attachment-0001.bin
A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20081124/52ab92e8/attachment.bin
Garry Boyce wrote:> Hi.. I've looked through all the documentation and searched > numerous websites and I can't find any viable current way to > cluster ssh-agents.What technical solution do you have in mind? //Peter
Hi Garry, I did something with about the same functionality once, by starting the ssh-agent on the central system at boot time with the users credentials and loading the passphraseless key automatically from a directory that the user couldn't read. The only thing you need to do is dump the agent's environment variables when it starts and source them when the user actually logs in. Sincerely, Jan de Haan. On Mon, Nov 24, 2008 at 7:02 PM, Garry Boyce <garry.boyce at eds.com> wrote:> Hi.. I've looked through all the documentation and searched numerous > websites and I can't find any viable current way to cluster ssh-agents. > > The functionality gap I see is to allow a situation where 2 ssh-agents are > running on 2 different trusted machines. If one of those machines goes down > passwordless logins should be allowed to continue through the backup > ssh-agent. And when the machine comes back up the newly restarted agent > should be able to resync with the backup agent. This way 2 machines would > have to go down before passwords would have to be re-entered. > > I'm wondering the implications of this kind of functionality and wondering > if this were to be implemented would it be something the development team > would be apt to consider for inclusion. > > Thanks, > Garry > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > >
That sounds about right. How would you rate complexity? -----Original Message----- From: Daniel Kahn Gillmor <dkg at fifthhorseman.net> Sent: Monday, November 24, 2008 5:51 PM To: Portable OpenSSH Development List <openssh-unix-dev at mindrot.org> Subject: Re: ssh-agent clustering On Mon 2008-11-24 13:02:05 -0500, Garry Boyce wrote:> Hi.. I've looked through all the documentation and searched numerous > websites and I can't find any viable current way to cluster > ssh-agents.It sounds to me like what you're looking to implement could be done without modifying existing ssh-agent implementations. You'd want to build some sort of intermediate agent that maintains tunnels to various external agents, and monitors the state of those tunnels. It would accept ssh agent requests itself, and forward them on to the relevant remote agents. When one tunnel goes down, it would redirect new requests to the highest-priority still-functioning tunnel. Your ssh processes would talk only to the intermediate agent, and would not know what kind of things were happening behind the scenes. --dkg