How to start ssh-agent without eval

I sometimes re-direct the output to a file:

ssh-agent > ~/.ssh-agent

Then I can pick up that environment in the same window or another window by doing:

. ~/.ssh-agent

• Can I somehow pass the environment variables to all terminals currently open?

Not without writing the variables to a file and manually sourcing that file in each terminal.

• Can I pass the environment variables to the whole computer instead of only one shell?

Not easily. Most processes don't accept environment variable changes from the outside at all once they've started; they just use the environment they've inherited from their parent process as-is. Shells can "pull" in environment settings by sourcing scripts, but you cannot "push" new environment variables into them from outside the process. (The terminal window and the shell inside it are two separate processes, and the environment of the shell process is the one you usually care about.)

The processes that handle user logins, on the other hand, tend to actively prune the environment they pass to the new session down to some built-in or sysadmin-controlled list of "safe" environment variables, for security reasons.

If you want anyone on the system to be able to make authenticated SSH connections to somewhere, you could create a passphraseless SSH keypair as root, place it into /etc/skel/.ssh/ directory using the default key name for that key type, and now every user you'd create from that point on would automatically get a copy of that key... and since you used the default name, it will be automatically tried by the SSH client for every outgoing connection by every user that has a copy of the key.

I think this would not be significantly less secure than granting everyone access to a single shared SSH agent. In fact, with this approach, one user could not trivially sabotage the work of other users by sending a "unload all stored keys" command to the shared SSH agent, like they could in your idea...

(This seems like a possible XY problem. Just what are you trying to achieve by sharing a single SSH agent system-wide? There might be better solutions than that if you just described the requirements of the actual problem you are trying to solve by sharing the SSH agent.)

• Is there a way to start ssh-agent without eval nor manually export?

If you have root access to the system, you could add the pam_ssh.so PAM module to the system's PAM configuration. The module has two functions:

• If used as an authentication module, it can verify the user's identity by checking if they know the passphrase of a SSH key located in ~/.ssh/login-keys.d/... but that is not the part you are interested in.
• If used as a session management module, it will start a SSH agent, automatically load it with SSH keys belonging to that user that either have no passphrase or have a passphrase that is equal to the login password used, and insert the appropriate environment variables into the environment of the session that is about to start.

At least Debian and related distributions should have the pam_ssh.so PAM module packaged as libpam-ssh. Other distributions might name their PAM library packages differently, so you might have to do a bit of searching.

• To pass the environment variables to all open terminals, you can add the export commands to your shell's startup script (e.g. ~/.bashrc for bash).
• You cannot pass the environment variables to the whole computer. Each shell session runs in its own process and has its own environment variables.
• There is no way to start ssh-agent without using eval or manually exporting the environment variables. These steps are necessary for security reasons, as ssh-agent needs to modify the shell's environment to work properly.

You can share environment variable definitions amongst existing bash shell windows either by sourcing their definitions from .bashrc or from the PROMPT_COMMAND implementation in bash.

1. From bashrc. This implementation only works for shells created after you have run ssh-agent.

   In .bashrc include this line of code:

   [ -s "$HOME/.envvars" ] && . "$HOME/.envvars"
   

   From now on, when you run ssh-agent for the first time in a session redirect its output to this file:

   ssh-agent >"$HOME/.envvars"
   

   Subsequent shells will include those definitions when they start even if they are not children of the ssh-agent process or shell parent.

2. From PROMPT_COMMAND. This implementation will import environment variables at the next command prompt, regardless of when the bash shell instance was first created.

   In .bashrc include this block of code:

   prompt_command() {
       if [ -s "$HOME/.envvars" ]
       then
           local stat=$(stat -c '%Y' "$HOME/.envvars" 2>/dev/null)
   
           if [ -n "$stat" ] && [ "$stat" -gt ${_envvars_stat:-0} ]
           then
               [ -t 2 ] && echo "Updated from .envvars" >&2
   
               . "$HOME/.envvars"
               _envvars_stat=$stat
           fi
       fi
       return 0
   }
   PROMPT_COMMAND=prompt_command
   

   From now on, when you run ssh-agent for the first time in a session redirect its output to this file:

   ssh-agent >"$HOME/.envvars"
   

   Subsequent shells will include those definitions at their next prompt even if they are not children of the ssh-agent process or shell parent.

This might be a solution?:

if [ -S "$SSH_AUTH_SOCK" ] && [ ! -h "$SSH_AUTH_SOCK" ] ; then
    ln -sf $SSH_AUTH_SOCK ~/.ssh/ssh_auth_sock
    export SSH_AUTH_SOCK=~/.ssh/ssh_auth_sock
fi

I use this in my ~/.ssh/rc for agent forwarding with GNU screen.

Then, for each session that needs it, I export SSH_AUTH_SOCK=~/.ssh/ssh_auth_sock in that session.