what is ssh-sgent?

Chris G cl at isbd.net
Sun May 4 08:18:46 UTC 2008


On Sun, May 04, 2008 at 04:04:32AM -0400, Cliff wrote:
>  Should be fine. As I said ssh-agent gets installed when you install ssh.
>  However, if you are not using a service whether ssh or whatever then it
>  is probably best to turn it off.
> 
> 
> 
>  You probably can't turn it off, not in any sort of proper
>  configuration driven way anyway.  I wanted to turn it off on my system
>  and it appears to be hard coded into the xdm/gdm/kdm startup scripts.
>  ssh-agent will be started if it exists, you'd have to edit the scripts
>  to stop it.
> 
>  For my situation ssh-agent is pointless, my desktop stays up all day
>  (both at home and at work) so once a password is entered into
>  ssh-agent anyone walking up to my machine can use the remote ssh logins.
>  Hence I just set up for passwordless login (i.e. public key) and
>  ignore ssh-agent, all ssh-agent does is add more hassle.
> 
> 
> 
>    Here is what I found:
> 
>    SSH Agent is a graphical front-end to some of the [1]OpenSSH tools
>    included with [2]Mac OS X. Specifically, it allows you to start an
>    ssh-agent, generate identities, and add identities to an agent.
>    Additionally, it allows you to make the ssh-agent global so that, e.g.,
>    [3]Xcode can use it to do version control over SSH, and it has some
>    functionality to set-up a secure tunnel.
> 
>    This is the website I got it from:    [4]http://www.phil.uu.nl/~xges/ssh/
> 
>    See also:    [5]http://en.wikipedia.org/wiki/Ssh-agent
> 
>    From what I understand, you would NOT want to remove it, if I read the
>    thread right.  Granted, it may be a hassle.
>    It may be protecting your machine, unbeknown  to you.
> 
This is what I was trying to explain.  I know what ssh-agent does, it
*tries* to make it simpler to use ssh by allowing you to enter the ssh
key once only for a session (as in X session).  This means that you
don't have to enter your ssh key every time you use ssh to login to
another system.

What I was saying is that this doesn't add any security for me as my
sessions are left on all day (or even more) so once I had started up
and entered my ssh key for the session it's adding no security at all,
anyone with access to my machine could use my ssh connections.  My
machines are in relatively secure environments and my ssh connections
don't hide any seriously secret information so I'm quite happy with
the level of (basically physical) security that I have.

For me using ssh public key authentication with no passphrase offers
the same level of security as would using ssh-agent and I don't have
to enter a passphrase at all.  If someone has physical access to my
machine then they can see my keys (as I have no passphrase) but if
they have physical access to my machine and I'm running ssh-agent
although they don't get access to my keys they can use the ssh
connections anyway so it makes no significant difference.

ssh-agent is a useful utility in some circumstances but, in my
opinion, doesn't offer me much.  It's a pity it can't be turned off
easily, if you don't use it then it does nothing but is one of those
processes that provokes threads like this one - "what's it for?".

-- 
Chris Green




More information about the ubuntu-users mailing list