16

  1. How to start ssh-agent as systemd service? There are some suggestions in the net, but they are not complete.

  2. How to add automatically unencrypted keys if ssh-agent service was started successfully? Probably, adding keys from the list of ~/.ssh/.session-keys would be good.

  3. How to set SSH_AUTH_SOCK in any login session afterwards? The most correct way is to push it from ssh-agent service to systemd-logind service (have no idea if it's ever possible). The plain naive way is just add it to /etc/profile.

| improve this question | | | | |
  • What's missing from the suggestions on the net? – Mark Stosberg Jan 24 '17 at 21:43
27

To create a systemd ssh-agent service, you need to create a file in ~/.config/systemd/user/ssh-agent.service because ssh-agent is user isolated.

[Unit]
Description=SSH key agent

[Service]
Type=simple
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK

[Install]
WantedBy=default.target

Add SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/ssh-agent.socket" to ~/.pam_environment.

Finally enable and start this service.

systemctl --user enable ssh-agent
systemctl --user start ssh-agent

And, if you are using ssh version higher than 7.2. echo 'AddKeysToAgent yes' >> ~/.ssh/config

This will instruct the ssh client to always add the key to a running agent, so there’s no need to ssh-add it beforehand.

Note that when you create the ~/.ssh/config file you may need to run:

chmod 600 ~/.ssh/config or chown $USER ~/.ssh/config

Otherwise, you might receive the Bad owner or permissions on ~/.ssh/config error.

| improve this answer | | | | |
  • launchd on OS X is set to start ssh-agent when a Unix socket is accessed (and the SSH_AUTH_SOCK variable is prepopulated with the path...) (like inetd, but a Unix socket). This seems possible with systemd as well. (Whether a system-wide service is an option for a per-user service might be interesting to see....) – Gert van den Berg Feb 26 '18 at 10:49
  • I get Failed to execute operation: Process org.freedesktop.systemd1 exited with status 1 when I run systemctl --user enable ssh-agent on centos7 – scarba05 Mar 18 '19 at 8:51
  • 1
    @nealmcb You must have SSH_AUTH_SOCK set elsewhere in your system, otherwise ssh would never see it. And unless I'm missing something, Environment and ExecStartPre aren't needed at all. – Alec Mev May 8 at 21:13
  • @AlecMev Hmm - you may well be right. I was probably trying different things, and notice that I have SSH_AUTH_SOCK set in my .profile. Sorry for the confusion. – nealmcb May 9 at 22:10
1

This is not supported if you are using centos 7 because it will not support the --user flag of systemctl. See this centos bug report, Systemd User Support is Broken on Delivery

| improve this answer | | | | |

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged or ask your own question.