About ssh-agent and ksshaskpass

Hi! New to the forum and to OpenSUSE!

Have a question/curiosity about ssh-agent and ksshaskpass .

I’m with KDE and set KDWallet to automatically unlock at boot.

Then created the file ~/.config/plasma-workspace/env/askpass.sh with:

#!/bin/sh
export SSH_ASKPASS='/usr/libexec/ssh/ksshaskpass'
export SSH_ASKPASS_REQUIRE='prefer'

This way when an ssh key passphrase is requested I receive a KDE popup that permanently stores the passphrase in the wallet. So far so good.

But I’m curious why I see many discussions where ksshaskpass is configured next to ssh-agent. Now, if ksshaskpass is capable of working correctly as I set it up, why other people also configure ssh-agent in order to add their keys with ssh-add? Isn’t that unnecessary?

See these threads for example:

I’m missing something because it looks that ksshaskpass itself is capable of storing passwords when required and store them forever.

Because

Ksshaskpass is a front-end for ssh-add

Thank you but still do not understand. I have not configured ssh-agent and I can store passphrases without issues. So why also store them elsewhere, in ssh-agent?

I mean, you usually add your keys with ssh-add and they are lost after reboot etc.

I just try to ssh into something and ksshaskpass asks for the passphrase, storing it permanently in the wallet.

Do not know if i’m explaining my point clearly.

Yes, passwords can be stored in Kwallet, and ksshaskpass manages that. But, by itself, that is useless.

When you use “ssh” to connect, it doesn’t talk to Kwallet or to ksshaskpass. It talks to “ssh-agent”. The others are just backends to help set this up.

“ssh-agent” is the intermediary that does the work.

I want to login to another site. But I don’t want the remote site to know the password of any of my private keys. The remote site sends a challenge that would require that I prove that I have the private key but without actually disclosing that private key. And “ssh-agent” answers that challenge. So “ssh-agent” needs the private key but it never discloses what that private key actually is. This is an important component of ssh security.

Right, I have to try again but if I’m not wrong it was able to pick the passphrase from the wallet automatically, without me never configuring ssh-agent. That’t why I have this doubt. But will try again ASAP.

I’m not sure what you mean by “configuring ssh-agent”. I’m not aware of any configuration. Yes, there are some standard places where you can put keys if you want it to find them. But I have always preferred to put keys somewhere else and use “ssh-add” to tell it which key to use.

I mean in the threads linked in py first post. In the first there is a custom systemd service for ssh-agent. Something similar happens also in the second. I did nothing of this and it seems, but want to try again, that system is able to pick keys from the wallet automatically.

I don’t think “systemd” is involved, other than in an indirect sense. The script there is a startup script that KDE calls when it is starting. The purpose of the script is to make sure that “ssh-agent” is running as part of your desktop session.

That linked thread is about setting up your system so that the keys are automatically loaded. And yes, “ksshpassword” answers the password request for that loading. But “ssh-agent” is involved, because automatically loading the keys means automatically loading them into the running “ssh-agent” process.

No, it is not. ssh-agent is non-interactive, it just supplies loaded decrypted keys to ssh. When ssh needs to decrypt a key, it will directly invoke $SSH_ASKPASS program or ask you on your terminal. $SSH_ASKPASS is also invoked by ssh-add which is never used automatically by ssh-agent (ssh will also add keys to ssh-agent if AddKeysToAgent is enabled).

Well … in random order …

  • because that is what everyone was doing for years, what we read on Internet and just blindly copy.
  • agent connection can be forwarded to the remote system and used if you need to ssh from remote system further. This eliminates need to distribute your private keys to multiple systems.
  • KWallet works only in KDE, while ssh-agent works everywhere, so you use the same workflow in any desktop environment (and even without GUI).
  • ssh-agent never stores decrypted keys permanently and never stores your passphrases. Yes, KWallet is supposed to encrypt your passphrases, but it is still more secure to never store them at all than to store them even encrypted.

I guess others may add to this list.

But technically you are right, as long as you only ssh from one single system and only from within KDE you can use ksshaskpass without ssh-agent and the end effect will be the same.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.