0

I use ssh daily to login to a couple servers I manage, and I use an ssh key to login. Because I generated my ssh key with a password, the first time I use ssh in a day, I'm prompted for a password. I want this to periodically lock again throughout the day, so that someone getting access to my laptop while it's on doesn't necessarily get access to the servers. I can't find an option for this, and I also can't figure out a command to lock the key. If there is such a command, I could add it to crontab.

Probably the best option is simply not to use an ssh key.

Jamesypoo
  • 3
  • You should never leave a computer unattended. Lock it when you leave. – Dr_Bunsen Jun 20 '19 at 09:07
  • A couple of approaches off the top of my head would be to start your ssh session with a timeout so that it cuts out after a certain period, which is not very fine grained. The other option is to set the ssh server to log you out after a period inactivity. Neither of these are ideal, and both of them lead to a total disconnect which is why I've not gone with an answer. – Arronical Jun 20 '19 at 09:12

2 Answers2

0

You could just write a line in your $HOME/.bash_logout file that moves your SSH key from your ~/.ssh/ directory into a different directory? Then do the opposite in $HOME/.bash_login.

See this post about doing this with systemd.

Cody
  • 364
  • 1
  • 3
  • 12
0

You probably have a program called ssh-agent running. When you ssh to some other host, the ssh command communicates with that ssh-agent to maintain the keys and their passphrases.

By default, the ssh-agent remebers the passphrases forever (until logout) so you only have to enter it once for each key.

The command ssh-add is used to manage the list of identities the ssh-agent knows about.

To show the list of keys the ssh-agent knows, issue

ssh-add -l

To make it forget your keys and passphrases, issue

ssh-add -D

When you then ssh into some host, you will again be prompted for the passphrase.

It is also possible to supply a lifetime for a passphrase:

ssh-add -t 3600     # 1 hour

but this didn't work for me (or I did something wrong). I'd setup a cronjob that does ssh-add -D every N hours. This might be a bit tricky because ssh-add needs the environment variable SSH_AUTH_SOCK to communicate with the ssh-agent and that variable is presumably not set under cron.

But, as stated in a comment, you should not leave your laptop unattended while you're away but rather lock it instead.

PerlDuck
  • 13,335