Auto start ssh-agent for Git on startup

Alec · July 21, 2018, 12:19pm

I’m looking for a way to automatically start the ssh-agent on boot of my Home Assistant running Hass.io on my Raspberry Pi.

Background:

I have accessed the Pi via SSH and am configuring Git to communicate with my repository over SSH
I have set up the key pair etc. in root/.ssh and Git via SSH is working correctly
I can run eval "$(ssh-agent -s)" to start the ssh-agent and then run shh-add to add my key to the ssh-agent (so I don’t have to type in passphrase every time)

After a HA reboot the ssh-agent doesn’t start automatically loaded with my key, I have to start ssh-agent again/add my key. Any ideas?

flamingm0e · July 21, 2018, 2:06pm

Is git included in the SSH add-on?

I would do it Cron if possible on hassio

Alec · July 21, 2018, 2:41pm

Git is included with Hass.io I believe.

I’m not sure how I would achieve this with Cron?

How are other Hass.io users using Git via SSH without having to provide the passcode each time?

flamingm0e · July 21, 2018, 3:40pm

I’m not sure why you need the system to use git at all.

You can easily use git on your local machine that you’re editing from, on the SMB share. If you’re editing on the SMB share and it is a git repo, you can perform all the same git commands there. Hassio doesn’t need to do it.

Alec · July 21, 2018, 4:04pm

Yup, I have Samba and occasionally use it to modify files on the Pi.

Usually my needs are filled with SSH though. I’m looking for a better way to use Git via SSH, within the Hass.io environment.

flamingm0e · July 21, 2018, 4:33pm

Looks like you’re going about this all wrong.

github.com

home-assistant/hassio-addons/blob/master/git_pull/README.md

# Home Assistant Add-on: Git pull

Load and update configuration files for Home Assistant from a Git repository.

![Supports aarch64 Architecture][aarch64-shield] ![Supports amd64 Architecture][amd64-shield] ![Supports armhf Architecture][armhf-shield] ![Supports armv7 Architecture][armv7-shield] ![Supports i386 Architecture][i386-shield]

You can use this add-on to `git pull` updates to your Home Assistant configuration files from a Git
repository.

[aarch64-shield]: https://img.shields.io/badge/aarch64-yes-green.svg
[amd64-shield]: https://img.shields.io/badge/amd64-yes-green.svg
[armhf-shield]: https://img.shields.io/badge/armhf-yes-green.svg
[armv7-shield]: https://img.shields.io/badge/armv7-yes-green.svg
[i386-shield]: https://img.shields.io/badge/i386-yes-green.svg

Alec · July 21, 2018, 5:03pm

Yup, I have Git Pull and occasionally enable it to pull changes onto the Pi.

Usually I want to test changes out before committing them though. I often commit changes to the repository straight from the Pi after tweaking until I’m happy.

flamingm0e · July 21, 2018, 5:11pm

You should look at syncthing addon and client on your computer

make changes locally on your computer (it can be a git repo too), it automatically syncs to your home assistant config directory, and you can run your tests, when done, git commit the changes on your client machine (desktop/laptop) and voila, you have eliminated the need for an SMB share running on your home assistant box, you have eliminated the need to install git on hassio, and you get to test all your changes while working comfortably from a good text editor.

Alec · July 22, 2018, 9:10am

Cool thanks, don’t know Syncthing will check it out.

I’m aware there are various different ways to edit your config. I’m looking specifically for a way to use Git via SSH with less hassle, from within Hass.io.

Alec · July 22, 2018, 10:50am

This problem isn’t so much of a Hass.io issue, but I was curious how people using Hass.io worked with this.

Not having to provide the key passphrase again after a full reboot of the Pi isn’t really a viable option, see write-up about it.

In the end I’ve opted for starting the ssh-agent and attempting ssh-add (which prompts for key passphrase) automatically when I SSH in to the Pi.

In /etc/profile.d/ I’ve added the file ssh-agent.sh containing the following:

if [ -z "$SSH_AUTH_SOCK" ] ; then
  eval `ssh-agent -s`
  ssh-add
fi

Maybe this should be at ~/.bash_profile instead, I haven’t tried. Anyway this improves the situation enough for me for now.

talljohnson · November 25, 2018, 6:58pm

@Alec

As you are probably aware, this thread is further reaching that just git in your example. I am glad that I stumbled upon this very helpful thread, but only after debugging on my own for 2 days.

I am trying to run scp as part of a backup script for my hassio. Only through verbose debugging was I able to discover that my script with scp kept failing asking for my passphase in a routine without user keyboard interaction available. That was not desirable at all.

The article that you reference is a terrific description of the options for keys with passphrases or without and use of ssh-agent. I have temporarily decided to forego the use a passphase on my keys but only because I sit behind a firewall with no exposed ports and I am operating on an internal network only.

However, I think we should consider requesting an hassio upgrade to permit enabling/disabling of ssh-agent. The hassio community would have to consider any security concerns.

If I am unsuccessful to get broader support of ssh-agent, then I may use a similar script as you did above. THANKS!