Created
March 19, 2019 11:05
-
-
Save lucaswerkmeister/bf2a52453cc12ea2f86e597c6e77423f to your computer and use it in GitHub Desktop.
systemd user units to wipe sensitive SSH keys from the SSH agent every night
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Unit] | |
| Description=Wipe sensitive SSH keys from the SSH agent | |
| [Service] | |
| Type=oneshot | |
| ExecStart=/usr/bin/ssh-add -d ${HOME}/.ssh/KEY-NAME-1 ${HOME}/.ssh/KEY-NAME-2 … | |
| # don’t fail if the key wasn’t in the SSH agent in the first place | |
| SuccessExitStatus=1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Unit] | |
| Description=Wipe sensitive SSH keys from the SSH agent every night | |
| [Timer] | |
| OnCalendar=daily | |
| Persistent=true | |
| [Install] | |
| WantedBy=timers.target |
Also, consider adding aliases like the following to your .bashrc:
alias npm='systemctl --user start wipe-ssh-agent && npm'
alias grunt='systemctl --user start wipe-ssh-agent && grunt'
alias composer='systemctl --user start wipe-ssh-agent && composer'
# ...Or use a more sophisticated solution to protect your system from rogue npm packages and similar issues, such as fresh.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Usage: adjust the
ExecStart=line inwipe-ssh-agent.serviceto list the key(s) you want to wipe, then copy both files into~/.config/systemd/user/and runsystemctl --user daemon-reloadandsystemctl --user enable --now wipe-ssh-agent.timer.This assumes that your user manager has the
SSH_AUTH_SOCKenvironment variable needed to talk to the SSH agent.