too many ssh-agent process per user on several servers

Question

Several users seem to have problems with the usage of ssh-agent in their login environment. sri for instance has 1295 of them running on login02. And many other users are having same issue.

I am seeing the same problem on other machines, and with other people also.

sri 32586  0.0  0.0  11144     0 ?        Ss    2019   0:00 ssh-agent
sri 32598  0.0  0.0  11144  1304 ?        Ss   Jan13   0:03 ssh-agent
sri 32608  0.0  0.0  11148     0 ?        Ss    2019   0:00 ssh-agent
sri 32610  0.0  0.0  11152     0 ?        Ss   Jan22   0:00 ssh-agent
sri 32640  0.0  0.0  11148     0 ?        Ss    2019   0:00 ssh-agent
sri 32643  0.0  0.0  11148     0 ?        Ss    2019   0:00 ssh-agent
sri 32656  0.0  0.0  11144     0 ?        Ss    2019   0:00 ssh-agent
sri 32711  0.0  0.0  11152     0 ?        Ss    2019   0:00 ssh-agent
sri 32715  0.0  0.0  11144     0 ?        Ss    2019   0:00 ssh-agent
sri 32755  0.0  0.0  11152     0 ?        Ss    2019   0:00 ssh-agent
sri 32765  0.0  0.0  11148     0 ?        Ss    2019   0:00 ssh-agent
root@login02:~$ ps -aux | grep ssh-agent | grep sri | wc -l
1295
root@login02:~$ ps -aux | grep ssh-agent  | wc -l
1509
root@login02:~$

Please guide me how to fix this issue. Thanks

May be there some active `tmux` sessions? Because there is a lot agents running from last year. — Alexander Tolkachev, Feb 19 '20 at 19:44
What distribution are you using? **systemd** can automatically spawn an ssh-agent, when the user logs in and terminate it, when the last user session exits. — Piotr P. Karwasz, Feb 19 '20 at 20:57

score 1 · Accepted Answer · answered Feb 19 '20 at 23:03

Your user is probably spawning those ssh-agent's in his shell init scripts (.profile, .bashrc or similar), but forgot to kill the agent in the logout scripts. Maybe even the global shell init scripts spawn ssh-agent's.

A way to stop this proceeding is to offer your users a system-wide way to administer ssh-agent's.

The easiest way to control the number of ssh-agent instances is to use systemd together with pam_systemd. This will spawn a SystemD User Manager for each logged in user and terminate whenever the last user session exits. Moreover it allows to define user services, whose lifetime is independent from user sessions.

Ubuntu 16.04 does not provide .service files for ssh-agent (newer versions do), but you can create one yourself by adding a file /etc/systemd/user/ssh-agent.service with content:

[Unit]
Description=OpenSSH Agent
Documentation=man:ssh-agent(1)
Before=default.target
Wants=dbus.socket
After=dbus.socket

[Service]
ExecStart=/usr/bin/ssh-agent -D -a %t/ssh-agent

and a symlink of the file in the /etc/systemd/user/default.target.wants directory:

mkdir -p /etc/systemd/user/default.target.wants
ln -s ../ssh-agent.service /etc/systemd/user/default.target.wants

followed by a systemctl daemon-reload. You'll need also to add to /etc/bash.bashrc the following line:

export SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/ssh-agent

After this configuration step:

the first time a user connects to the system, an ssh-agent will be spawned. You can check its status with:
```
systemctl --user status ssh-agent.service
```
every ssh client in every session will have access to the same ssh-agent,
when the last user session terminates, so does the ssh-agent.

too many ssh-agent process per user on several servers

1 Answers1