49

  1. How to start ssh-agent as systemd service? There are some suggestions in the net, but they are not complete.

  2. How to add automatically unencrypted keys if ssh-agent service was started successfully? Probably, adding keys from the list of ~/.ssh/.session-keys would be good.

  3. How to set SSH_AUTH_SOCK in any login session afterwards? The most correct way is to push it from ssh-agent service to systemd-logind service (have no idea if it's ever possible). The plain naive way is just add it to /etc/profile.

Improve this question
1
  • 1
    What's missing from the suggestions on the net? Commented Jan 24, 2017 at 21:43

2 Answers 2

Reset to default
91
  • To create a systemd ssh-agent service, you need to create a file in ~/.config/systemd/user/ssh-agent.service because ssh-agent is user isolated. 
    [Unit]
Description=SSH key agent

[Service]
Type=simple
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK

[Install]
WantedBy=default.target
  • Add 
    SSH_AUTH_SOCK="${XDG_RUNTIME_DIR}/ssh-agent.socket"
    to ~/.config/environment.d/ssh_auth_socket.conf.
  • Finally enable and start this service. 
    systemctl --user enable --now ssh-agent
  • And, if you are using ssh version higher than 7.2. 
    echo 'AddKeysToAgent  yes' >> ~/.ssh/config
    This will instruct the ssh client to always add the key to a running agent, so there's no need to ssh-add it beforehand.

Note that when you create the ~/.ssh/config file you may need to run:

chmod 600 ~/.ssh/config

or

chown $USER ~/.ssh/config

Otherwise, you might receive the Bad owner or permissions on ~/.ssh/config error.

Improve this answer
6
  • launchd on OS X is set to start ssh-agent when a Unix socket is accessed (and the SSH_AUTH_SOCK variable is prepopulated with the path...) (like inetd, but a Unix socket). This seems possible with systemd as well. (Whether a system-wide service is an option for a per-user service might be interesting to see....) Commented Feb 26, 2018 at 10:49
  • I get Failed to execute operation: Process org.freedesktop.systemd1 exited with status 1 when I run systemctl --user enable ssh-agent on centos7 Commented Mar 18, 2019 at 8:51
  • 2
    You can make ssh-agent exit after your last session by adding After=systemd-user-sessions.service user-runtime-dir@%i.service dbus.service and Requires=user-runtime-dir@%i.service to the [Unit] section. Commented Apr 18, 2021 at 11:48
  • @AlecMev Environment seems to be useful for other services started with systemd that might want to know SSH_AUTH_SOCK. Commented Apr 30, 2021 at 20:55
  • This setup persists through reSTART in Arch (i.e., logout/login, or i3 $mod <Shift> e ). It does not survive a reboot or a 'Reddit-tier IT Support stock answer' (i.e., "Turn it off then back on"). Commented Apr 23, 2023 at 5:36
1

This is not supported if you are using centos 7 because it will not support the --user flag of systemctl. See this centos bug report, Systemd User Support is Broken on Delivery

Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.