I use ssh-add to add my SSH keys to the SSH agent. By default, it adds them indefinitely. There’s a command-line option to specify a timeout, but is there a configuration file option which will specify the default timeout?
What I want is to be able to run ssh-add without any command-line parameters and have it default to a given amount of time for a timeout (as if I had called ssh-add -t 1h).
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
If you’re calling ssh-add on the command line, make a shell alias. Put the following line in your ~/.bashrc (if using bash) or ~/.zshrc (if using zsh) or other applicable shell initialization file:
alias ssh-add='ssh-add -t 1h'
If you want to add a non-expiring key, use ssh-add /path/to/key or ssh-add -t 0 /path/to/key.
If ssh-add is being called from other program, see if they can be configured to take arguments. Failing that, create a file early on your $PATH (~/bin is a common choice of directory, make sure it’s at the beginning of your PATH and create it if it doesn’t exist) called ssh-add containing
#!/bin/sh exec /usr/bin/ssh-add -t 1h "<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="d8fc98">[email protected]</a>"
(Replace /usr/bin/ssh-add by the path to the ssh-add binary as necessary.)
Method 2
The default timeout is forever. It is however possible to set the default timeout for a specific agent through the -t option of ssh-agent.
from man ssh-agent:
-t life
Set a default value for the maximum lifetime of identities added
to the agent. The lifetime may be specified in seconds or in a
time format specified in sshd_config(5). A lifetime specified
for an identity with ssh-add(1) overrides this value. Without
this option the default maximum lifetime is forever.
Method 3
AFAIK, there is no configuration in sshd_config or ssh_config to specify the time out for ssh-agent. From openssh source code, file ssh-agent.c:
/* removes expired keys and returns number of seconds until the next expiry */
static time_t
reaper(void)
{
time_t deadline = 0, now = monotime();
Identity *id, *nxt;
int version;
Idtab *tab;
for (version = 1; version < 3; version++) {
tab = idtab_lookup(version);
for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) {
nxt = TAILQ_NEXT(id, next);
if (id->death == 0)
continue;
if (now >= id->death) {
debug("expiring key '%s'", id->comment);
TAILQ_REMOVE(&tab->idlist, id, next);
free_identity(id);
tab->nentries--;
} else
deadline = (deadline == 0) ? id->death :
MIN(deadline, id->death);
}
}
if (deadline == 0 || deadline <= now)
return 0;
else
return (deadline - now);
}
And in process_add_identity function:
process_add_identity(SocketEntry *e, int version)
{
....
if (lifetime && !death)
death = monotime() + lifetime;
....
}
lifetime is a global variable and only change value when parsing argument:
/* Default lifetime in seconds (0 == forever) */
static long lifetime = 0;
int
main(int ac, char **av)
{
....
case 't':
if ((lifetime = convtime(optarg)) == -1) {
fprintf(stderr, "Invalid lifetimen");
usage();
}
....
}
If you use Ubuntu, you can set default options for ssh-agent in /etc/X11/Xsession.d/90x11-common_ssh-agent:
STARTSSH=
SSHAGENT=/usr/bin/ssh-agent
SSHAGENTARGS="-t 1h"
if has_option use-ssh-agent; then
if [ -x "$SSHAGENT" ] && [ -z "$SSH_AUTH_SOCK" ]
&& [ -z "$SSH2_AUTH_SOCK" ]; then
STARTSSH=yes
if [ -f /usr/bin/ssh-add1 ] && cmp -s $SSHAGENT /usr/bin/ssh-agent2; then
# use ssh-agent2's ssh-agent1 compatibility mode
SSHAGENTARGS=-1
fi
fi
fi
if [ -n "$STARTSSH" ]; then
STARTUP="$SSHAGENT $SSHAGENTARGS ${TMPDIR:+env TMPDIR=$TMPDIR} $STARTUP"
fi
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0