CR-2026-03-25: SSH Agent Passphrase Cache Timeout Fix

Change Summary

Field Value

Field	Value
Change ID	CR-2026-03-25-ssh-timeout-001
Requested By	Self
Target Date	TBD (low priority)
Systems Affected	`~/.gnupg/gpg-agent.conf`, systemd user services
Risk Level	Low
Rollback Time	< 2 minutes
Category	Normal

Change ID

CR-2026-03-25-ssh-timeout-001

Requested By

Self

Target Date

TBD (low priority)

Systems Affected

~/.gnupg/gpg-agent.conf, systemd user services

Risk Level

Low

Rollback Time

< 2 minutes

Problem Statement

SSH passphrase prompts appear too frequently during Claude Code sessions, interrupting workflow.

Root Cause

ssh-agent.service is FAILED since 2026-03-15
gpg-agent provides SSH via gpg-agent-ssh.socket (working)
Current TTL: 2 hours (default-cache-ttl-ssh 7200)
Conflicting services may cause socket issues

Current State

# ssh-agent status
systemctl --user status ssh-agent.service
# Result: failed (Result: exit-code) since 2026-03-15

# gpg-agent status
systemctl --user status gpg-agent.service
# Result: active (running)

# Current TTL settings
grep cache-ttl ~/.gnupg/gpg-agent.conf
# default-cache-ttl-ssh 7200 (2 hours)
# max-cache-ttl-ssh 28800 (8 hours)

Implementation Plan

Phase 1: Disable Failed ssh-agent Service

# Stop and disable conflicting service
systemctl --user disable ssh-agent.socket ssh-agent.service
systemctl --user stop ssh-agent.socket

# Verify disabled
systemctl --user status ssh-agent.service

Phase 2: Increase gpg-agent SSH TTL

# Backup current config
cp ~/.gnupg/gpg-agent.conf ~/.gnupg/gpg-agent.conf.bak

# Edit config - increase to 8 hours default, 24 hours max

Updated gpg-agent.conf

# SSH key cache TTL (8 hours default, 24 hours max)
default-cache-ttl-ssh 28800
max-cache-ttl-ssh 86400

Phase 3: Reload gpg-agent

# Kill and restart agent
gpgconf --kill gpg-agent
gpg-connect-agent /bye

# Verify SSH socket
echo $SSH_AUTH_SOCK
# Expected: /run/user/1000/gnupg/S.gpg-agent.ssh

# Add key (will now cache for 8 hours)
ssh-add ~/.ssh/id_ed25519

Verification

# Check key is cached
ssh-add -l
# Should show your key

# Test git push
git -C ~/atelier/_bibliotheca/domus-captures push
# Should not prompt for passphrase

Rollback

# Restore backup
cp ~/.gnupg/gpg-agent.conf.bak ~/.gnupg/gpg-agent.conf
gpgconf --kill gpg-agent

# Re-enable ssh-agent if needed
systemctl --user enable ssh-agent.socket
systemctl --user start ssh-agent.socket

dots-quantum host overlay (hosts/razer/) may need gpg-agent.conf
Consider adding to dotfiles for persistence across machines