KDE ssh-agent

Todd Zullinger tmz at pobox.com
Sat Sep 1 13:02:07 UTC 2007 

Mike -- EMAIL IGNORED wrote:
>> Okay.  So obviously the best thing to work with your scripts
>> currently will be if SSH_AGENT_PID is set so that when the
>> xinitrc-common script checks for it, it's already set.  I haven't
>> made time to log out and test that yet.  Have you tried it to see
>> if that will work?
> 
> Yes, I could preset SSH_AGENT_PID -- as long as someone does not
> change the script.

I don't think you need to worry too much about that test going away.
It's definitely important for the xinit scripts to test for the
existence of an already running ssh-agent before starting one up.

>> Also, might it not be more robust (and better in the long term) if
>> your script checked for the things you put in place when yo start
>> an ssh-agent?  That way it wouldn't matter whether the agent was
>> started by xinitrc-common or you.
> 
> Did they use my preferred options in creating the agent?

What options are you passing to ssh-agent?  The options it takes are
pretty sparse.

> I start the agent by hand execution of the script only when I intend
> to use it.  The script reads encrypted keys from removable media,
> which is usually not present.

You can have the agent running without adding keys to it right away.
So the keys need not be present when you start it.  You can also add
and remove keys at will.  So if you wanted, your script could add the
keys to the agent whenever you wanted to use them, and remove them
when you were done (or after some timeout, using the -t option to
ssh-add).

> It is only nice if it is easily visible and controllable.  As can be
> seen above, my use of agents is different that yours.

I'm still not sure that there's a problem with how the agent is
started, even for your use.  Perhaps I'm just not understanding how
you're using it.  With the agent started, you still have full control
of what and when keys are loaded.

> Yes.  My suggestion is that by default, it be disabled.  It might
> also be added to the install dialog (hopefully in terms that most
> reasonably well educated users could understand without web-search,
> which presently is the case for only a minority of the options).

I don't see the default being disabled.  It's much more common and
generally useful to have it started automatically.  If it's made
optional, I'd prefer the default to be on.  But that's just my
opinion.

> To whom do I present my suggestion, or have I just done it? :)

Nah, I haven't wormed my way into the project that far. :)

To make a request for enhancement, you'd use bugzilla.  There's a page
on the wiki which (hopefully) includes all the steps needed.

    http://fedoraproject.org/wiki/BugsAndFeatureRequests

Before filing such a request, be sure that what you want really can't
be done with the existing setup.  Also, if you really want to increase
the likelihood of something being picked up, propose a patch to do
what you want or a nice outline of how it can actually be done.

I'm not sure it's needed, but one way I could see something like this
being generally useful would be to add a check to the xinitrc-common
script to source the files in a dir (first in $HOME and then in /etc)
to read settings from.  That way you could override things like
SSH_AGENT to prevent it from being started.

Oh, and I just realized that even if you can't set SSH_AGENT_PID from
your bash startup before the xinitrc-common script runs (let me know
if you get a chance to try that, BTW), you could put a file in
/etc/X11/xinit/xinitrc.d/ which would set it.  Files in that dir are
sourced just before the ssh-agent code.

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sometimes you get the blues because your baby leaves you. Sometimes
you get'em 'cause she comes back.
    -- B.B. King

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20070901/557022eb/attachment-0001.sig>

More information about the fedora-list mailing list