ssh-agent key lifetime - best practice?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

I generally start ssh-agent with the -t 7200 option, meaning that any key
added expires after 2 hours.  I'd rather not just have the agent sitting there
with my keys available (yes, only in memory and only to login sessions using
that agent, but still...) if I'm not actively using ssh/scp.

HOWEVER, it leaves me in the situation where sometimes ssh asks for
my passphrase because my key expired.  This is all well and good, but when
it does I have to type my passphrase twice (once into ssh and then into the
agent so further ssh executions won't need it).

Is there any way to make ssh/scp put an identity into the agent when it asks
for a passphrase?  This way I'd just run the agent but never add keys with
ssh-add, I'd just use ssh and scp, typing my passphrase once if I hadn't
already done so within two hours.

Or is there a different recommendation for using ssh-agent wherein keys time
out after some period, but I don't have to think in advance whether it has an
active key or not?
Mark Rafn    <

Site Timeline