Code Vigorous

Dustin J. Mitchell

Locking SSH keys on sleep on Linux

29 Mar 2013

I got a new laptop, a ThinkPad X1 Carbon, and I’m running Linux on it. So you’re in for a series of posts describing the complex process I had to follow to accomplish simple things. Spoiler alert: 2013 is not the year of Linux on the desktop. It’s not looking good for 2014 either.

I’m running Fedora 18. I tried Ubuntu 12.10, but Unity couldn’t hold itself together long enough to actually do anything, so I started over with Fedora.

SSH Agent

Gnome runs a nice keychain app that acts like (but is not) OpenSSH’s ssh-agent. The one obvious place it differs is that ssh-add -l will list keys even if they are “locked” (passphrase not supplied).

As long as you point the SSH_AUTH_SOCK variable to the right place, the agent works just fine for unlocking keys - it finds any private/public pairs in ~/.ssh, and prompts to unlock them once you issue an SSH command that needs a key. The problem is, it never re-locks the keys.


Personally, I use SSH constantly while my laptop is awake, so I don’t want an arbitrary timeout. Instead, I’m careful to put it to sleep when I’m away from the keyboard. So I want a way to lock the key on sleep.

It turns out that pm-utils will run scripts in /etc/pm/sleep.d on sleep and wake. It runs them as root, unfortunately. I added the following in


# drop keys from dustin's SSH agent


        su - dustin /home/dustin/bin/ssh-lock

case "$1" in
        hibernate|suspend) lock ;;
        *) exit $NA ;;

and then added the following in ~/bin/ssh-lock:


# drop keys from the SSH agent, using the same trick as bin/startscreen to find
# that agent

[ -d /run/user ] && base="/run/user/$(id -u)"
socket_dir="$base/$(uname -n)-$(id -u)"
SSH_AUTH_SOCK=$socket_dir/agent ssh-add -D

See my post on tunneling ssh-agent into a screen session for the reference to bin/startscreen. I’m not sure how best to accomplish this without such a trick. I’ll work on that and post again.