On Sat, Aug 21, 2021 at 5:32 PM hvjunk <hvjunk@xxxxxxxxx> wrote: > > > > On 21 Aug 2021, at 22:19 , matthewhtb@xxxxxxxxxxxxx wrote: > > > > Hello, > > > > I hope my question is apt for this list. > > > > I am using OpenSSH_8.2p1 on Ubuntu 20.04. > > > > I connect to a remote SSH server with the -i /path/to/file identity file > > option. My local machine asks me for a password for the identity file. > > This is because I created a password when using ssh-keygen. > > > > However, after I exit from the SSH server, and log back in I am not asked > > for a password. Some kind of caching is happening. > > It gets loaded into the ssh-agent for things ssh forwarding Many window managers now include an ssh-agent by default. It can be startling, and destructive when you need to use a particular key for things like SSH keys for particular git repos. > > Is there a way to force the password to be asked on every occasion when > > using an identity file? > > unload it from the ssh agent, or remove the ssh agent. Which OS and window manager are you using? The "ssh-agent -D" command should always work, but some "wallets" will just keep reloading the !@#$ keys when running your GUI. Ripping out that "wallet" by the roots may help. You might want to turn off "AddKeysToAgent" in your ~/.ssh/config file, to keep from adding that key to your agents accidentally. Use "man ssh_config" to review that documenttion, it can be disabled for all hosts or on a target basis. > > I have searched but it looks as if everyone wants to avoid using > > passwords, not deliberately attempting to use them. > > jumping twenty times an hour between 100 different instances behind jumphosts, you do tend to > focus on only protecting the ssh-agent/key when you aren’t at your desk or the laptop/etc. gets stolen, not while you need to > connect to lots of hosts to type in that 20+ character pass phrase. > > I recall there are various settings in the GUI/desktop managers to unload the keys when the screen locker activates Those are often referred to as "wallets", and yeah. It's distinct from wallet to wallet. A command to do "ssh-agent -D" _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
