15

After creating keys with name id_rsa at it's default location. I am adding identity to SSH agent with command ssh-add ~/.ssh/id_rsa, It's adding successfully.

I can SSH without entering pass phrase of key as It's already with SSH Agent.

But ,when I restart machine or server and then check for identity with command ssh-add -L I am getting message like The agent has no identities.

Does that means when we restart machine, Agent lost identity? Is this normal behavior or some thing I am missing here?

Please guide me, I am not much familiar with SSH.

Niks
  • 791
  • 3
  • 8
  • 18
  • See [this thread](http://unix.stackexchange.com/questions/140075/ssh-add-is-not-persistent-between-reboots) on Unix&Linux site. – janosdivenyi Jul 22 '16 at 09:07

4 Answers4

14

It's normal. The purpose of a key agent is just to hold decrypted keys in memory, but it will never write them to disk. (That would defeat the purpose – why not just unprotect the main key instead?)

So the keys must be unlocked on each login, and you need to automate this – on Linux using pam_ssh is one option; it automatically uses your OS password to unlock the agent. Another similar module is pam_envoy, which is slightly more reliable afaik (but requires systemd).

Both modules will start the agent itself and load keys automatically.

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • any idea how to automate on mac osx terminal? – Niks Aug 05 '15 at 10:37
  • When I ran command `$SSH_AUTH_SOCK` I am getting result as: `-bash: /tmp/ssh-gT43vE99vk/agent.511`: Permission denied I am confused here.. weather my agent forwarding working or not.. can you plz guide? – Niks Aug 08 '15 at 06:27
  • It's not meant to be used as a command – it's a _variable_, something you use as part of another command. For example `echo $SSH_AUTH_SOCK` to print its value. – u1686_grawity Aug 08 '15 at 12:32
  • hey buddy.. any idea? http://stackoverflow.com/questions/31916395/libssh2-agent-forwarding-not-working – Niks Aug 10 '15 at 10:19
5

On OS X, ssh-add has a special flag to connect to Keychain if you decide to store your private key in there.

Just run ssh-add -K ~/.ssh/id_rsa.

I believe this answers your question more fully. This OS X specific flag is hard to find documentation for but it's been working since at least OS X Leopard.

Olivier Lacan
  • 158
  • 1
  • 5
  • 3
    This is the proper answer, followed by a `ssh-add -A` which will add all keys in Keychain. Additionally, also create a `~/.ssh/config` and add `UseKeychain yes` so macOS will always preserve your key, as described here: https://unix.stackexchange.com/questions/140075/ssh-add-is-not-persistent-between-reboots – lucasarruda Oct 03 '17 at 21:50
  • My MacBook still forgets my identity when I reboot, even after trying this. – Dominic Sayers Jun 05 '18 at 13:55
2

Try to this to your ~/.bashrc:

if [ ! -S ~/.ssh/id_rsa ]; then
  eval `ssh-agent`
  ln -sf "$SSH_AUTH_SOCK" ~/.ssh/id_rsa
  ssh-add
fi
export SSH_AUTH_SOCK=~/.ssh/id_rsa

This should only prompt for the password once you are login.

Shiro
  • 697
  • 5
  • 12
  • 27
  • Thanks for reply, That means SSH agent is working properly. And after adding this it won't require to add identity each time when start machine? Sorry if this is silly question but I am very new to ssh. – Niks Aug 05 '15 at 09:21
  • If you ssh key have password, it will prompt every time you login. – Shiro Aug 05 '15 at 09:51
  • This answer is **harmful**. If you do what it says, it will **delete** your private key. If you have no other way to authenticate, you will lose access to systems where you have been using public key authentication. – kasperd Mar 28 '16 at 23:13
0

This solution is handy if your ssh keys are passphrase protected.

The problem with all the answers above is that if your private key is passphrase protected, every time you launch a new terminal and try to use the private key, you have to type in the passphrase and you will end up running multiple copies of the ssh-agent in memory. The solution is to add the following in your ~/.bashrc or ~/.zshrc:

##### START Fix for ssh-agent #####
# Ref: http://mah.everybody.org/docs/ssh

SSH_ENV="$HOME/.ssh/environment"

function start_agent {
     echo "Initialising new SSH agent..."
     /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
     echo succeeded
     chmod 600 "${SSH_ENV}"
     . "${SSH_ENV}" > /dev/null
     /usr/bin/ssh-add;
}

# Source SSH settings, if applicable
if [ -f "${SSH_ENV}" ]; then
     . "${SSH_ENV}" > /dev/null
     #ps ${SSH_AGENT_PID} doesn't work under cywgin
     ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
        start_agent;
     }
else
     start_agent;
fi
##### END Fix for ssh-agent #####

This will ask for the passphrase of your ssh private key(s) only once when you launch a terminal. Subsequent opening of new terminal sessions (or tmux seesions) will reuse the ssh-agent created by the snippet above.

Reference

GMaster
  • 101
  • 2