[Sugar-devel] git problems (reprise)

Sascha Silbe sascha-ml-reply-to-2010-4 at silbe.org
Fri Dec 31 06:50:56 EST 2010


Excerpts from James Cameron's message of Fri Dec 31 03:56:22 +0100 2010:

> If so, you can delete the passphrase of the SSH key and you won't be
> prompted.  You can delete the passphrase by changing it to an empty
> passphrase.

That's certainly the easiest solution. And if your home directory (or
the entire storage device) is encrypted, it's even secure enough. But
for completeness I'd like to point out four other ways of getting rid
of the repeated pass phrase prompts, all of which I've used resp. do
still use.
OpenSSH supports the "ssh-agent" protocol which will let a daemon handle
the private key operations, allowing the pass phrase to be cached. This
is the basis for all of the solutions:

1. libpam-ssh starts ssh-agent during login. It's easy to install
   system-wide, but for it to be fully transparent to the user the
   ssh key pass phrase must be the same as the account password and
   have been entered during login (i.e. it doesn't work well with
   automatic logins).

2. keychain can be added to the login scripts (~/.bash_profile /
   ~/.xsession) by an individual user. It starts resp. connects to
   ssh-agent. The daemon will keep running even after logout, so as a
   bonus even automated processes (e.g. cron jobs) will be able to use
   your credentials. If you're using a shared computer pool, the
   administrators might not like you leaving the daemon running, though.

3. Debian can start ssh-agent as part of the X session. The daemon is
   specific to the X session and will be killed afterwards. See
   /etc/X11/Xsession.options and Xsession.options(5). It might even
   be enabled by default.

4. gpg-agent has support for the ssh-agent protocol ("emulation").
   gpg-agent can be added to the login scripts by an individual user,
   will usually be session-specific and killed on logout.
   The advantage is that you need only a single daemon to handle both
   PGP and SSH keys. Keys only need to be added once; no need to run
   ssh-add on every login. It also supports the OpenPGP card, so you
   can have your SSH key on a smartcard (in addition to the PGP key).


There's also gnome-keyring, but I don't use it (I'm not even sure it
could do everything I need).

Sascha

-- 
http://sascha.silbe.org/
http://www.infra-silbe.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.sugarlabs.org/archive/sugar-devel/attachments/20101231/00c9693d/attachment.pgp>


More information about the Sugar-devel mailing list