Using an ssh agent from emacs in server mode

Asked 9/2, 2017 at 12:27 Answered 10/2, 2017 at 17:40

I am running emacs in server mode as a systemd user service and want to pull from a pubkey-authenticated remote repository using magit. Unfortunately, magit (or its git child process) cannot use my already loaded public key. Apparently, I cannot connect to my ssh-agent from within the context of emacs.

Run from within emacs:

~ ssh-add  
Could not open a connection to your authentication agent.

Is there a known way to solve that issue or do I have to dig into how ssh-agent and clients actually communicate?

Gallicanism answered 9/2, 2017 at 12:27 Comment(1)

ssh-agent outputs some environment variables (in the form of a sourceable shell script) when it is started. If that agent is still running, and you wrote those settings to a readable file, I believe you should be able to connect to that agent by reading those values into your environment. You can manage that yourself, or use something like keychain. – Athirst 10/2, 2017 at 4:52

I use keychain to manage ssh-agents. It starts the agent and dumps relevant parameters (agent PID and socket) into a script that can be sourced by a shell. There's an Emacs package keychain-environment that can pull this into Emacs.

~/.bash_profile:

# keychain manages ssh-agents
type keychain >&/dev/null \
    && keychain --agents ssh

This starts runs keychain at login, which will start an ssh-agent and dump its info to a file. keychain is idempotent, so subsequent logins (e.g. logging in with ssh) will not start a new ssh-agent if it's already running.

~/.bashrc:

# keychain keeps track of ssh-agents
[ -f $HOME/.keychain/$HOSTNAME-sh ] \
    && . $HOME/.keychain/$HOSTNAME-sh

This allows any new shell to reuse the agent. I don't think this is actually relevant to Emacs, but is obviously useful.

~/.emacs.d/init.el:

(require 'keychain-environment)
(keychain-refresh-environment)

This loads the agent info into Emacs, so Emacs can talk to it (or more accurately, any ssh process started by Emacs can see the relevant env vars).

Duff answered 10/2, 2017 at 17:40 Comment(2)

Can you elaborate your configuration ? I was not able to reproduce this setup. Does it work for you with emacs in server mode ? Do you have to start a terminal first so that keychain is executed ? – Thuthucydides 14/6, 2018 at 14:28

Keychain should start on login, because ~/.bash_profile should be executed on login. To verify, look at e.g. ~/.keychain/$HOSTNAME-sh, and make sure there's a ssh-agent process running with the corresponding PID. I run emacs in server mode, but I start it like emacsclient -c -a ''. – Duff 14/6, 2018 at 16:27

The ssh-agent must be running in a parent process of the process you want to use it. This is why it is often started as part of the setup for the window manager - all sub-processes of the window manager i.e. terminals and programs run by the user, will be able to use the ssh-agent.

In your case, you could perhaps run ssh-agent as the parent process in your systemd user service that starts emacs, but then of course your agent won't work with other uses, such as from terminals opened under your wm.

Syllabogram answered 10/2, 2017 at 0:48 Comment(1)

ssh-agent does not need to have any sort of parent relation to the process using the agent. Environment variables are sufficient to tell a process how to communicate with the agent. This is what keychain does, it manages the env vars so other processes can get them into their environment. – Duff 14/9, 2021 at 21:7

Recommended topics

Hot tags