openssh unix dev - Jun 2024 - Can one set an agent timeout for a specific host?

If I set a timeout for a specific host's key does it set the timeout
for just that key/host?

I.e. if I do something like in ~/.ssh/config:-

    #
    #
    # backup, use public-key authentication
    #
    Host backup
        IdentityFile ~/.ssh/backup_id_rsa
        IdentityAgent 600

Will it just time out the key saved for backup and leave any other
keys with the default no timeout?

-- 
Chris Green

Hi Chris,

(Caveat: I haven't tried IdentityAgent before and I may also misunderstand
what you're after.)

I don't see any mechanism in the provided config which would end up in
timeout. According to man (5) ssh_config, IdentityAgent configures a socket
number, not a timeout. I'm not sure if that's obvious, like I said I
might have misunderstood something about what you're asking, or overlooked
something about uses of IdentityAgent.

I suspect you may want the ConnectTimeout config if you haven't seen it yet.
I also believe (meaning it makes sense to me but I haven't tested it) that
when you configure this timeout, it will affect all connections to the host, not
just that one key.

If you want to restrict the configuration to just one key, I might consider
using `Match tagged` to distinguish between different modes.

Example configuration:

```
Match host backup tagged backup
    IdentityFile ~/.ssh/backup_id_rsa
    IdentitiesOnly yes
    ConnectTimeout 600

# General config for all connections to backup node
Host backup
    # put here whatever is true regardless of which key or authentication method
you use
    # ...
```

Then to force the use of that one key and that timeout, make sure the client
uses the `-P backup` option to trigger the `tagged backup` Match.

Alternatively, you can use something like `-F /path/to/backup/ssh_config` to
keep the backup config separate to everything else in your default
~/.ssh/config.

~ Tim


On Wednesday, 5 June 2024 at 22:18, Chris Green <cl at isbd.net> wrote:
>
>
> If I set a timeout for a specific host's key does it set the timeout
> for just that key/host?
>
> I.e. if I do something like in ~/.ssh/config:-
>
> #
> #
> # backup, use public-key authentication
> #
> Host backup
> IdentityFile ~/.ssh/backup_id_rsa
> IdentityAgent 600
>
> Will it just time out the key saved for backup and leave any other
> keys with the default no timeout?
>
> --
> Chris Green
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Wed, 5 Jun 2024 at 22:20, Chris Green <cl at isbd.net>
wrote:
> If I set a timeout for a specific host's key does it set the timeout
> for just that key/host?
[...]
>     Host backup
>         IdentityFile ~/.ssh/backup_id_rsa
>         IdentityAgent 600
I think you meant AddKeysToAgent?
> Will it just time out the key saved for backup and leave any other
> keys with the default no timeout?
Yes this will only affect the key added when connecting to this host.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.