On 2025-01-09 15:27, Corey Hickey wrote:> From: Corey Hickey <chickey at tagged.com> > > When ssh-add is used in a script like: > > if ! KEY_LISTING=$(ssh-add -l 2>&1) ; then > echo "SSH agent error" >&2 > exit 2 > fi > > ...the operation fails when there is an agent but there are no keys in > the agent. This is because ssh-add exits with status of 1. If the > intent is to examine the keys in the agent, then this behavior is > undesired and not easily distinguishable from an error (e.g. no agent > running). > > To address this, add a new option -p to make ssh-add behavior more > friendly to parsing.I took the approach of preserving current behavior by default, but another approach would be to: * print "The agent has no identities." to stderr instead of stdout * exit with a status of 0 instead of 1 If that alternate approach would be better, please let me know and I will send a new patch. Thank you, Corey
On Thu, 9 Jan 2025, Corey Hickey wrote:> On 2025-01-09 15:27, Corey Hickey wrote: > > From: Corey Hickey <chickey at tagged.com> > > > > When ssh-add is used in a script like: > > > > if ! KEY_LISTING=$(ssh-add -l 2>&1) ; then > > echo "SSH agent error" >&2 > > exit 2 > > fi > > > > ...the operation fails when there is an agent but there are no keys in > > the agent. This is because ssh-add exits with status of 1. If the > > intent is to examine the keys in the agent, then this behavior is > > undesired and not easily distinguishable from an error (e.g. no agent > > running). > > > > To address this, add a new option -p to make ssh-add behavior more > > friendly to parsing. > > I took the approach of preserving current behavior by default, but another > approach would be to: > > * print "The agent has no identities." to stderr instead of stdout > * exit with a status of 0 instead of 1 > > If that alternate approach would be better, please let me know and I > will send a new patch.Yeah, I think moving the message to stderr would be better. Adding a new exit status for the no-keys-in-agent case would be acceptable too I think. -d
On 10.01.25 00:33, Corey Hickey wrote:> I took the approach of preserving current behavior by default, but > another approach would be to: > * print "The agent has no identities." to stderr instead of stdout > * exit with a status of 0 instead of 1Please don't. If you want to ever get people to load their privkeys into the agent *with a limited lifetime*, having a trivial, *universal* way to check whether they have expired by now is an asset.> workplace$ egrep ' ssh(|add)=' .bashrc > alias sshadd='( echo -n "`tput dim`" ; ssh-add -c -t 1800 ; echo -n "`tput sgr0`" )' > alias ssh='ssh-add -l >/dev/null || sshadd ; ssh'> jumphost$ grep -A 9 '^ssh' .bashrc > ssh() { > if [ -z "$SSH_AUTH_SOCK" ]; then > # No forwarded agent. Someone wants to learn many passwords by heart ... > /usr/bin/ssh "$@" > elif ssh-add -l >/dev/null 2>&1 ; then > /usr/bin/ssh "$@" > else > echo "`tput setaf 0``tput setab 1` Please (re)load your keypairs into the agent first `tput sgr0`" > fi > }Kind regards, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4336 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250110/da69264c/attachment-0001.p7s>