How to start ssh-agent as systemd service? There are some suggestions in the net, but they are not complete.
How to add automatically unencrypted keys if ssh-agent service was started successfully? Probably, adding keys from the list of
~/.ssh/.session-keys
would be good.How to set
SSH_AUTH_SOCK
in any login session afterwards? The most correct way is to push it from ssh-agent service to systemd-logind service (have no idea if it's ever possible). The plain naive way is just add it to/etc/profile
.
-
What's missing from the suggestions on the net? – Mark Stosberg Jan 24 '17 at 21:43
To create a systemd ssh-agent service, you need to create a file in ~/.config/systemd/user/ssh-agent.service
because ssh-agent is user isolated.
[Unit]
Description=SSH key agent
[Service]
Type=simple
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK
[Install]
WantedBy=default.target
Add SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/ssh-agent.socket"
to ~/.pam_environment
.
Finally enable and start this service.
systemctl --user enable ssh-agent
systemctl --user start ssh-agent
And, if you are using ssh version higher than 7.2. echo 'AddKeysToAgent yes' >> ~/.ssh/config
This will instruct the ssh client to always add the key to a running agent, so there’s no need to ssh-add it beforehand.
Note that when you create the ~/.ssh/config
file you may need to run:
chmod 600 ~/.ssh/config
or
chown $USER ~/.ssh/config
Otherwise, you might receive the Bad owner or permissions on ~/.ssh/config
error.
-
launchd
on OS X is set to start ssh-agent when a Unix socket is accessed (and theSSH_AUTH_SOCK
variable is prepopulated with the path...) (likeinetd
, but a Unix socket). This seems possible withsystemd
as well. (Whether a system-wide service is an option for a per-user service might be interesting to see....) – Gert van den Berg Feb 26 '18 at 10:49 -
I get
Failed to execute operation: Process org.freedesktop.systemd1 exited with status 1
when I runsystemctl --user enable ssh-agent
on centos7 – scarba05 Mar 18 '19 at 8:51 -
1@nealmcb You must have
SSH_AUTH_SOCK
set elsewhere in your system, otherwisessh
would never see it. And unless I'm missing something,Environment
andExecStartPre
aren't needed at all. – Alec Mev May 8 at 21:13 -
@AlecMev Hmm - you may well be right. I was probably trying different things, and notice that I have
SSH_AUTH_SOCK
set in my.profile
. Sorry for the confusion. – nealmcb May 9 at 22:10
This is not supported if you are using centos 7 because it will not support the --user
flag of systemctl
. See this centos bug report, Systemd User Support is Broken on Delivery