tramp and ssh-key passphrase

tramp and ssh-key passphrase

[lee]

Hi,

is there a way to have tramp cache the passphrase of the ssh key I'm
using to edit a remote file --- or some other way which doesn't require
me to enter the passphrase all the time?

It's asking for the passphrase every time emacs wants to perform an
autosave, and I don't really want to turn off autosaving or to use a key
that doesn't require a passphrase.

I wouldn't mind defaulting to autosaving locally when editing remote
files, though.  Maybe that can be done somehow?

The way it is kinda defeats the comfort of being able to edit remote
files ...


-- 
GNU Emacs 24.5.1 (x86_64-pc-linux-gnu, X toolkit)
 of 2015-09-26 on heimdali

Re: tramp and ssh-key passphrase

[Loris Bennett]

lee <lee@yagibdah.de> writes:

> Hi,
>
> is there a way to have tramp cache the passphrase of the ssh key I'm
> using to edit a remote file --- or some other way which doesn't require
> me to enter the passphrase all the time?
>
> It's asking for the passphrase every time emacs wants to perform an
> autosave, and I don't really want to turn off autosaving or to use a key
> that doesn't require a passphrase.
>
> I wouldn't mind defaulting to autosaving locally when editing remote
> files, though.  Maybe that can be done somehow?
>
> The way it is kinda defeats the comfort of being able to edit remote
> files ...

Try setting up an SSH agent.  That way you just have to enter the
passphrase once per session.

Cheers,

Loris

-- 
This signature is currently under construction.

Re: tramp and ssh-key passphrase

[Michael Albinus]

lee <lee@yagibdah.de> writes:

> Hi,

Hi,

> is there a way to have tramp cache the passphrase of the ssh key I'm
> using to edit a remote file --- or some other way which doesn't require
> me to enter the passphrase all the time?

There is the recommendation to use ssh-agent, which is always good.

Another solution would be (setq password-cache-expiry nil)

Best regards, Michael.

Re: tramp and ssh-key passphrase

[Peter Münster]

[-- Attachment #1: Type: text/plain, Size: 761 bytes --]

On Mon, Feb 29 2016, Michael Albinus wrote:

> There is the recommendation to use ssh-agent, which is always good.

Indeed.

And if
- you want to type the passphrase only once at the start of your
  X-session
- and your ssh-passphrase is the same as your gpg-passphrase
- and the passphrase should never expire
- and ssh-connections should work from cron-jobs,

then you could
- copy the attached askpass.lisp file to ~/bin
- and fill the list of the fingerprints
- and copy the attached gpg-agent.conf to ~/.gnupg
- and put these 2 lines to your ~/.xinitrc:
  SSH_ASKPASS=~/bin/askpass.lisp ssh-add
  echo $SSH_AUTH_SOCK >~/.ssh/ssh-auth-sock
- and start your cron-job shell scripts with
  export SSH_AUTH_SOCK=`cat ~/.ssh/ssh-auth-sock`

-- 
           Peter

[-- Attachment #2: askpass.lisp --]
[-- Type: application/octet-stream, Size: 633 bytes --]

#!/usr/bin/sbcl --script

;; vielleicht so:
;; gpg --list-secret-keys --with-fingerprint --with-fingerprint --with-colon
;; --list-options no-show-unusable-uids,no-show-unusable-subkeys | sed -rn 's/^fpr:::::::::(.*):/\1/p'

(defvar *fingerprints*
  (list "XXX"
        "YYY"
        "ZZZ"))

(with-output-to-string (out)
  (run-program "/usr/lib/ssh/ssh-askpass" nil :output out)
  (let ((s (get-output-stream-string out)))
    (dolist (fp *fingerprints*)
      (with-input-from-string (in s)
        (run-program "/usr/lib64/gpg-preset-passphrase" (list "--preset" fp)
                     :input in :output nil)))
    (princ s)))

[-- Attachment #3: gpg-agent.conf --]
[-- Type: text/plain, Size: 74 bytes --]

allow-preset-passphrase
default-cache-ttl 99999999
max-cache-ttl 99999999

Re: tramp and ssh-key passphrase

[lee]

"Loris Bennett" <loris.bennett@fu-berlin.de> writes:

> lee <lee@yagibdah.de> writes:
>
>> Hi,
>>
>> is there a way to have tramp cache the passphrase of the ssh key I'm
>> using to edit a remote file --- or some other way which doesn't require
>> me to enter the passphrase all the time?
>>
>> It's asking for the passphrase every time emacs wants to perform an
>> autosave, and I don't really want to turn off autosaving or to use a key
>> that doesn't require a passphrase.
>>
>> I wouldn't mind defaulting to autosaving locally when editing remote
>> files, though.  Maybe that can be done somehow?
>>
>> The way it is kinda defeats the comfort of being able to edit remote
>> files ...
>
> Try setting up an SSH agent.  That way you just have to enter the
> passphrase once per session.

Thanks, I tried, and it only says


,----
| Could not add card ".ssh/[...]": agent refused operation
`----


when I try to add a key, so I killed it.  The agent had been started
with


,----
| eval $(ssh-agent)
`----


in my .xinitrc.

This is awful because it requires me to exit the X session to get the
ssh-agent to work.  I won't do much experimenting on this ...


-- 
GNU Emacs 24.5.1 (x86_64-pc-linux-gnu, X toolkit)
 of 2016-03-18 on heimdali

Re: tramp and ssh-key passphrase

[lee]

Michael Albinus <michael.albinus@gmx.de> writes:

> lee <lee@yagibdah.de> writes:
>
>> Hi,
>
> Hi,
>
>> is there a way to have tramp cache the passphrase of the ssh key I'm
>> using to edit a remote file --- or some other way which doesn't require
>> me to enter the passphrase all the time?
>
> There is the recommendation to use ssh-agent, which is always good.
>
> Another solution would be (setq password-cache-expiry nil)

Cool, I'll try that because the ssh-agent doesn't work.


-- 
GNU Emacs 24.5.1 (x86_64-pc-linux-gnu, X toolkit)
 of 2016-03-18 on heimdali

Re: tramp and ssh-key passphrase

[Jorge A. Alfaro-Murillo]

lee writes:

> "Loris Bennett" <loris.bennett@fu-berlin.de> writes: 
>> 
>> Try setting up an SSH agent.  That way you just have to enter 
>> the passphrase once per session. 
> 
> Thanks, I tried, and it only says 
>  
> ,---- | Could not add card ".ssh/[...]": agent refused operation 
> `----

You are supposed to have a key in your .ssh, if not do something 
like

#+BEGIN_SRC shell
  cd ~/.ssh
  ssh-keygen -t rsa -b 4096 -o -a 100 
#+END_SRC

You would then have to copy the content of id_rsa.pub into 
~/.ssh/authorized_keys of the machine you want to login onto.
 
> when I try to add a key, so I killed it.  The agent had been 
> started with 
>  
> ,---- | eval $(ssh-agent) `---- 
>  
> in my .xinitrc. 
> 
> This is awful because it requires me to exit the X session to 
> get the ssh-agent to work.  I won't do much experimenting on 
> this ...

You should only start the ssh-agent once per session, that is the 
whole point of it. Actually it should start automatically.

You can try:

#+BEGIN_SRC shell
  killall ssh-agent
  eval `ssh-agent -s`
#+END_SRC

Then do

#+BEGIN_SRC shell
  ssh-add
#+END_SRC

right after you login. It will ask for the password of your id_rsa 
key, and then let you connect for the rest of your session.
 
Best,
-- 
Jorge.