This is a discussion on Re: Defering passphrase entry with ssh-add - openssh ; > Perhaps there's limitation is in the way that ssh communicates with > the agent. > > Chris I suspect this is true, it checks for valid credentials in the agent but continues with other Preferred Authentication mechanisms if not ...
> Perhaps there's limitation is in the way that ssh communicates with
> the agent.
I suspect this is true, it checks for valid credentials in the agent but
continues with other Preferred Authentication mechanisms if not found
(ie password prompt). I suspect it is not in the habit of calling the
agent to add keys, only to check if it currently has keys. There are
several drawbacks to ssh adding all keys it found every time you tried
an ssh session:
1. You could have unprotected keys being cached, a potential security
threat, especially if someone else has root access to that machine, they
now have access to all your other machines too (and your own machines
outside your company if you use the same key) or you'd be prompted he
Perhaps ssh itself needs to be adjusted to do this,
2. You could be prompted for a key passphrase, enter it, the key may not
be valid for that remote machine and you'd get 2 password prompts for 1
connection, which is wasteful and annoying.
3. You could dismiss the passphrase prompt, causing the key loading to
fail and therefore be bothered by this thing retrying every single time
you open an ssh connection, which for some of us is countless times a day...
The only way to prevent these conditions would be to decide whether ssh
tries to load key behaviours, and this would require a switch of some
kind, but I don't remember seeing such a switch anywhere.
So for now, I think the bash solution is the best one. Until the ssh
guys write this feature in, if it is not already in the package somewhere...