[Sugar-devel] git problems (reprise)

Sascha Silbe sascha-ml-reply-to-2010-4 at silbe.org
Fri Dec 31 06:50:56 EST 2010

Previous message: [Sugar-devel] git problems (reprise)
Next message: [Sugar-devel] git problems (reprise)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Excerpts from James Cameron's message of Fri Dec 31 03:56:22 +0100 2010:

> If so, you can delete the passphrase of the SSH key and you won't be
> prompted. You can delete the passphrase by changing it to an empty
> passphrase.

That's certainly the easiest solution. And if your home directory (or
the entire storage device) is encrypted, it's even secure enough. But
for completeness I'd like to point out four other ways of getting rid
of the repeated pass phrase prompts, all of which I've used resp. do
still use.
OpenSSH supports the "ssh-agent" protocol which will let a daemon handle
the private key operations, allowing the pass phrase to be cached. This
is the basis for all of the solutions:

1. libpam-ssh starts ssh-agent during login. It's easy to install
system-wide, but for it to be fully transparent to the user the
ssh key pass phrase must be the same as the account password and
have been entered during login (i.e. it doesn't work well with
automatic logins).

2. keychain can be added to the login scripts (~/.bash_profile /
~/.xsession) by an individual user. It starts resp. connects to
ssh-agent. The daemon will keep running even after logout, so as a
bonus even automated processes (e.g. cron jobs) will be able to use
your credentials. If you're using a shared computer pool, the
administrators might not like you leaving the daemon running, though.

3. Debian can start ssh-agent as part of the X session. The daemon is
specific to the X session and will be killed afterwards. See
/etc/X11/Xsession.options and Xsession.options(5). It might even
be enabled by default.

4. gpg-agent has support for the ssh-agent protocol ("emulation").
gpg-agent can be added to the login scripts by an individual user,
will usually be session-specific and killed on logout.
The advantage is that you need only a single daemon to handle both
PGP and SSH keys. Keys only need to be added once; no need to run
ssh-add on every login. It also supports the OpenPGP card, so you
can have your SSH key on a smartcard (in addition to the PGP key).

There's also gnome-keyring, but I don't use it (I'm not even sure it
could do everything I need).

Sascha

--
http://sascha.silbe.org/
http://www.infra-silbe.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.sugarlabs.org/archive/sugar-devel/attachments/20101231/00c9693d/attachment.pgp>

Previous message: [Sugar-devel] git problems (reprise)
Next message: [Sugar-devel] git problems (reprise)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Sugar-devel mailing list