Remember passphrases with ssh-agent — First published in fullweb.io issue #31

how-to-ssh-agent.md

How to use ssh-agent to cache your SSH credentials?

Contributed by Fabien Loudet, Linux SysAdmin at Rosetta Stone

Tired of always having to enter your SSH key passphrase when logging in to remote machines? Here comes ssh-agent. Enter the passphrase once and it will keep it in memory for you

Using ssh-agent in your shell session:

$ ssh-agent 
SSH_AUTH_SOCK=/tmp/ssh-hZQhwQlxahPX/agent.1833; export SSH_AUTH_SOCK; 
SSH_AGENT_PID=1834; export SSH_AGENT_PID; 
echo Agent pid 496; 

Copy/paste the 2 first lines from above:

$ SSH_AUTH_SOCK=/tmp/ssh-hZQhwQlxahPX/agent.1833; export SSH_AUTH_SOCK; 
$ SSH_AGENT_PID=1834; export SSH_AGENT_PID; 

Register your key and enter your password for the last time of this session:

$ ssh-add .ssh/id_rsa 
Enter passphrase for .ssh/id_rsa: 
Identity added: .ssh/id_rsa (.ssh/id_rsa)

And now SSH auth will not ask you for the passphrase anymore

BONUS: list your keys with:

$ ssh-add -l

Save yourself the copy and paste job with eval.

eval $(ssh-agent)

https://unix.stackexchange.com/questions/351725/why-eval-the-output-of-ssh-agent

Save yourself another step and just do:

eval $(ssh-agent) && ssh-add .ssh/id_rsa

Also note that if you have cleverly used something other than .ssh/id_rsa for your SSH keys you'll need to change the command accordingly. (I use the filename <hostname>_rsa in order to avoid mixing up SSH keys from different computers.) You could probably do this automatically with cat ~/.ssh/config, grep, and some pipes, but that's way beyond my abilities lol.

Adding the following to ~/.ssh/config will help wit this. It also solves @elsiehupp's issue - i.e. there's no need to write code to do this automagically. Enjoy!

Host *
   AddKeysToAgent yes

Here's the manual page:

AddKeysToAgent
   Specifies whether keys should be automatically added to a running
   ssh-agent(1). If this option is set to yes and a key is
   loaded from a file, the key and its passphrase are added to the
   agent with the default lifetime, as if by ssh-add(1). If this
   option is set to ask, ssh will require confirmation using the
   SSH_ASKPASS program before adding a key (see ssh-add(1) for
   details). If this option is set to confirm, each use of the
   key must be confirmed, as if the -c option was specified to
   ssh-add(1). If this option is set to no, no keys are added
   to the agent. The argument must be yes, confirm,
   ask, or no. The default is no.

As a bonus, on a Mac you have the UseKeychain option (check it out in the man page on your Mac).

No matter what I do, the changes don't persist. I don't have to re-add anything for the same session, but once I close the session and exit terminal, I have to re-add.

@Kr3m - when you do ...

$ eval $(ssh-agent)
Agent pid 2101
$

... it sets the SSH_AUTH_SOCK and SSH_AGENT_PID shell environment variables. These are important and if they don't exist; then your ssh command won't know that ssh-agent is running. You should include something like ...

$ tail -2 ~/.profile 

eval $(ssh-agent)
$ 

... into your .profile file. There's variations on this method (see google searches); however, the key point is that you will loose your connection to your ssh-agent session once you exit your terminal and while it's technically still running; your ssh program won't know that.

This is a pure shell issue and not an ssh subsystem issue.

This is a pure shell issue and not an ssh subsystem issue.

Meh. I just did this instead. I still have to unlock it once after rebooting and opening the terminal, but it's still less of a headache than it was.

sudo nala install keychain (apt instead of nala for thoses who haven't migrated yet)

Added to ~/.bashrc:

if [[ `uname` == Linux ]] then
    /usr/bin/keychain $HOME/.ssh/id_rsa
    source $HOME/.keychain/$HOSTNAME-sh
fi

Added to ~/.ssh/config

Host *
    IgnoreUnknown UseKeychain
    UseKeychain yes
    AddKeysToAgent yes
    IdentityFile ~/.ssh/id_rsa

At least it works so there's that. sigh