From: Andrew Tridgell
Subject: tip of the day (ssh-agent)
Date: Wed, 1 Sep 1999 23:39:52 +1000
This tip is for those of you who use ssh but are too lazy to
blasted pass phrase every time you want to connect to a host. Most
people respond to this by setting a null pass phrase, but that really
isn't a good idea. Doing that means that your secret key is stored in
plain unencrypted format in your ~/.ssh/ directory which is bad news
for security and just plain silly if your home directory is mounted by
So how do you use a pass phrase and avoid typing it every
use ssh-agent. ssh-agent sits in the background and holds keys that
you decode (just once!) with ssh-add.
If you use a X display manager (a graphical login) then you
add the following to your .xsession file (on some systems you may be
using a .Xclients or .xinitrc).
add that line just before the line that starts your window
manager. Then after the window manager line add this:
that will kill off ssh-agent after you exit.
My full .xsession file looks like this:
after you login you then run the command ssh-add to decode
private key and store the results in ssh-agent. Just run it once per
login and all your ssh commands will proceed without any pass phrase
If you don't use a graphical login then you might prefer to
within a ssh-agent environment like this:
that will have much the same effect, and doesn't need the
at the end to tidy up.
Another tip, if you were lazy in the past and didn't set a
for your ssh key then set one now using "ssh-keygen -p". Having your
private ssh key in plain text on disk really isn't a good idea!
I just have a few things to add to Tridge's message.
When I was first setting up ssh-agent so very long ago, I was
quite a while, because my X setup used .Xclients instead of .xsession for
the startup file. I don't remember all the details, but I think it was
something crazy like xdm uses .xsession and startx usese .Xclients.
Anyhow, just to be safe, I symlinked .xsession to .Xclients.
But I soon ran across two other problems. I wanted to run a
of programs on startup of X, and I didn't like having to re-add my key for
every xterm. My sysadmin showed me another solution. It turns out that
ssh-add knows how to put up a graphical window if it is run in the right
Here's my .Xclients file
exec /usr/local/bin/ssh-agent ~/.Xclients_local
and then my .Xclients_local (edited a bit b/c you get the
point, and it's
# .Xclients_local -- Put programs to run on X startup in here
# Add startup programs here
xsetroot -solid black
xclock -geometry 60x60+5+45 &
xload -geometry 60x50+5+115 &
xbiff -geometry 60x60+5+175 -update 5&
#display if I have now mail on hal
ssh hal.rescomp.berkeley.edu xbiff -geometry 60x60+5+235 -update 5&
# This creates a window to grab your console messages.
# Exiting this window does _not_ log you out however
xterm -ls -C -T console -geometry 114x43+80+5 &
#xterm -T hal -geometry 115x43+78+600 -e ssh hal.rescomp.berkeley.edu&
# Note that this is the last line, and it doesn't have a
#clean up ssh stuff
ssh-add would work on some machines just as is, and on others
</dev/null. I never quite figured out which was which, so just try it
both ways. It has something to do with whether you launched it from xdm
or startx, and whether it thinks it's in console mode or X mode.
The other really nice thing about setting it up this way is
_entire_ X session has your key, not just your terminals. That means you
can put, in your mouse menus, lines to start up connections to your
favorite servers and so on.
I also really like being able to use scp to all sorts of
machines just as though they were all local. No passwords needed no
matter which machine I'm copying to!
One last thing. If you have more than one ssh key, you can add
at startup. follow the ssh-add command with the path to your other keys.
ssh-add ~/.ssh/linuxcare key
If you have problems setting it up, just remeber: ssh is a
Once you have it set up, you will love it.