Posts Tagged ‘ssh’

Disabling Password-less SSH Connections

Tuesday, June 10th, 2008

I use Ubuntu on a server I use for software development over a VNC session. This is how I learned to do Java software development way back in 2000 at one of my first jobs, and the habit stuck. I recently upgraded to Ubuntu 8.04 LTS (via a completely straightforward and painless upgrade process, I might add) and noticed that something strange was happening: after entering my ssh key password once in a session, I was not asked for it again. Ever.

I leave myself logged into this machine for months at a time, and I never lock it. The only locking you might consider is that I disconnect from the VNC session and re-connecting requires a password. However, I have access to some sensitive information for my job and I’m a little leery when I’m allowed access to things unchallenged.

First, I thought something really fishy was going on, until I started reading man pages and doing a little digging. I found out about ssh-agent (which I had previously never heard of, since I’m usually using command-line-only interfaces) which did not appear to be running. Oddly enough, using ssh-add to flush all cached keys did work, so I was certain that the ssh-agent was lurking somewhere — I just hadn’t found it, yet.

Finally, today, I got fed up and apparently entered the magic phrase into Google. The reason I couldn’t see it running is because the process is gnome-keyring-daemon, not ssh-agent or *agent* or even *ssh*, which makes it tough to find if you don’t know that it’s a gnome component that is performing this service. I found the answer in the Gnome Keyring SSH Agent page on the Gnome Live website. Instructions for disabling ssh key caching are on the page here.

One thing they missed is that you can use gconf-editor to tweak the value indicated in the gconftool-2 instructions. Also, you can change the behavior of a running Gnome system by doing a ‘kill -HUP’ on the existing gnome-keyring-daemon process, and then re-starting it with the ‘–components’ that you want (i.e. removing the ‘ssh’ service).

Now, I get to enter my password every time I make an ssh connection, just as it should be ;)