Hi, In a machine that I regularly use one console and remotely I have the line: eval `ssh-agent` In my .login, as per the ssh-agent(1) man page. Problem: when I log out, the ssh-agent process persists which is the correct behavior in some cases, but not in others. This means that periodically I have to kill off hundreds of ssh-agent processes as they are taking up a substantial amount of my (fairly old) machine's resources. Question: is there a trivial way of fixing this problem? I could do some shell scripting to kill ssh-agent in the right cases and not in others, but that seems kludgy, and I can't imagine that I'm the only one to have this problem. Better question: if I were to write a patch to openssh that implemented reference counting in ssh-agent, would that be a Useful Idea? I was thinking something like when a shell creates a new process, then ref=1, if the current shell finds an existing process, send that process a signal to increment ref, and in .logout, decrement ref and have ssh-agent exit if ref=0. Presumably I could find some sort of unused signal in ssh-agent (SIGUSR1 or some such), and this seems reasonably secure. Please let me know what people think: thanks, - Rob . PS Pls make sure to CC me as I am not subscribed to the list.
Rob wrote:> Problem: when I log out, the ssh-agent process persists which is the > correct behavior in some cases, but not in others. This means that > periodically I have to kill off hundreds of ssh-agent processes as they > are taking up a substantial amount of my (fairly old) machine's resources. > > Question: is there a trivial way of fixing this problem?Yes, don't do that. :-)> I could do some > shell scripting to kill ssh-agent in the right cases and not in others, > but that seems kludgy, and I can't imagine that I'm the only one to have > this problem.if [ ! -e ~/.ssh/myagentsock ]; then ssh-agent -a ~/.ssh/myagentsock >~/.ssh/myagent fi . ~/.ssh/myagent or google for "ssh keychain"> Better question: if I were to write a patch to openssh that implemented > reference counting in ssh-agent, would that be a Useful Idea?Probably not. It would complicate the agent unecessarily. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Circa 2005-07-27 dixit Rob:
: In a machine that I regularly use one console and remotely I have the line:
:
: eval `ssh-agent`
:
: In my .login, as per the ssh-agent(1) man page.
:
: Problem: when I log out, the ssh-agent process persists which is the
: correct behavior in some cases, but not in others. This means that
: periodically I have to kill off hundreds of ssh-agent processes as they
: are taking up a substantial amount of my (fairly old) machine's resources.
:
: Question: is there a trivial way of fixing this problem? I could do some
: shell scripting to kill ssh-agent in the right cases and not in others,
: but that seems kludgy, and I can't imagine that I'm the only one to
have
: this problem.
If you want the agent to be ephemeral (i.e., to last only for your login
session), then you should kill the agent in your logout script
(~/.logout for csh, ~/.bash_logout for bash, a kludge involving 'trap
... 0' for pdksh). I do this in a fashion similar to the following:
~/.bash_profile:
if [ -f "${HOME}/.ssh-agent" ]; then
SSH_AGENT=`cat "${HOME}/.ssh-agent"`
fi
SSH_AGENT="${SSH_AGENT:-/usr/bin/ssh-agent}"
if [ -z "${SSH_AUTH_SOCK}" ] && \
[ -f "${HOME}/.use-ssh-agent" ] && \
[ -x "${SSH_AGENT}" ]
then
eval `${SSH_AGENT}`
fi
~/.bash_logout:
if [ -f "${HOME}/.ssh-agent" ]; then
SSH_AGENT=`cat "${HOME}/.ssh-agent"`
fi
SSH_AGENT="${SSH_AGENT:-/usr/bin/ssh-agent}"
if [ -n "${SSH_AGENT_PID}" ] && \
[ -x "${SSH_AGENT}" ]
then
eval `${SSH_AGENT} -k`
fi
It's a little complex, but basically:
- ~/.ssh-agent optionally contains the path to the ssh-agent program.
- ~/.use-ssh-agent, if present, says we want ssh-agent to run
automatically in each login session.
- ssh-agent is only run if it's not already running in a parent of
the current session (we check the SSH_AUTH_SOCK environment
variable for that).
- if ssh-agent is disabled by removing execute permission, then we
don't try to use it.
For csh, it would look a little different; i don't know csh very well,
so someone else would need to figure that out.
For ksh, the above should work virtually unchanged; the only difference
may be in how quotes are interpreted inside backquotes (`), and that's
not generally a problem unless you have, for example, a space character
in the path to your home directory. To make pdksh run a script (such as
~/.ksh_logout) on logout, put the following in your ~/.profile:
ksh_logout() {
if [ -s "${HOME}/.ksh_logout" ]; then
. "${HOME}/.ksh_logout"
fi
}
case "$-" in
*i*)
# Interactive shell
if [ -n "${KSH_VERSION}" ]; then
trap ksh_logout 0
fi
;;
esac
Good luck.
--
jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 809F:09B9:9686:D035:4AB0::9455:124B:0A62:DD6A:76D6)
.....................................................................
:"The methods now being used to merchandise the political candidate :
: as though he were a deodorant positively guarantee the electorate :
: against ever hearing the truth about anything." --Aldous Huxley :
:...................................................................:
Rob wrote:> In a machine that I regularly use one console and remotely I have the line: > > eval `ssh-agent` > > In my .login, as per the ssh-agent(1) man page.Ew, yuck. Remember that is the second entry in the man page. The first entry is the one you want. At least it is the one I want.> Problem: when I log out, the ssh-agent process persists which is the > correct behavior in some cases, but not in others. This means that > periodically I have to kill off hundreds of ssh-agent processes as they > are taking up a substantial amount of my (fairly old) machine's resources.Yep.> Question: is there a trivial way of fixing this problem?Doctor, doctor, it hurts when I do this. So don't do that. :-) The first usage synopsis in the man page is: ssh-agent [-a bind_address] [-c | -s] [-t life] [-d] [command [args ...]] ... If a commandline is given, this is executed as a subprocess of the agent. When the command dies, so does the agent. That is the usage I prefer. Since I am running X11 most of the time the distro I am using automatically starts the ssh-agent up as part of the X session. When I log out, the agent exits. exec ssh-agent ~/.xsession For me on my Debian system the above is automatic. But if it is not on your system then I would start it up with my window manager as the command. In a ~/.xsession file. #!/bin/bash --login exec ssh-agent fvwm # or startkde or gnome-session or whatever Since you said ~/.login: #!/bin/csh -l exec ssh-agent fvwm # or startkde or gnome-session or whatever But you mentioned a console. When I need this manually from a random command line shell window I usually run the following commands. exec ssh-agent $SHELL ssh-add You can automate this with the following as the very last thing in your ~/.profile (or ~/.bash_profile) so that an agent is always available when you log into a system. Remember that the current shell is replaced and overlayed with a new one when the 'exec' command is run. No commands after that in the script will be run because the shell interpreting the script no longer exists. ssh-add -l >/dev/null 2>&1 if [ $? -eq 2 ] ; then exec ssh-agent $SHELL fi When I log out, the agent exits. I never have to worry about reaping in orphaned ssh-agents. You said ~/.login so: ssh-add -l >& /dev/null if ( $status ) then exec ssh-agent $SHELL endif Bob