Ssh-Agent

How to add a SSH key to the SSH agent

Learn how to load and use your SSH key together with a SSH agent.

Summary

When the SSH agent is running, the ssh-add command can be used to load a SSH key. The SSH agent then will request a password when needed, and load the key details in memory.

Adding the SSH key just requires the path to the private key.

ssh-add ~/.ssh/id_ed25519

When the key is loaded, use the -l or -L option to show the identities that the SSH agent has.

ssh-add -l

SSH ProxyJump option

Learn about the SSH client option ProxyJump, that allows using a bastion host or jump server to connect to other systems.

Summary

The ProxyJump defines a bastion host (jump host, jump server, jump box) to use.

Values

ValueMeaning
noneDisable ProxyJump functionality
HOSTDefine the hostname of the bastion host
[USER]HOST[:PORT]Define one or more parameters of the bastion host
URIDefine parameters in URI format

Hostname

Format: hostname

SSH ForwardAgent option

Learn about the ForwardAgent option, available values, the security risks, and how to configure it.

Summary

The ForwardAgent option specifies if SSH agent forwarding is allowed or not.

ForwardAgent values

ValueMeaning
YesAgent forwarding is allowed
No (default)Agent forwarding is not allowed
PATHPath to the agent socket
$VARIABLEEnvironment variable that stores the path

Security caution

Agent forwarding should not be used if not strictly needed. Any user that can access the agent’s socket stored in SSH_AUTH_SOCK may have access through the forwarded connection. While key material may not be accessible, the keys can still be used to authenticate to any of the identities that are active in the SSH agent.

What is SSH agent forwarding?

Learn more about the SSH agent forwarding feature and what problems it tries to resolve.

Summary

The agent forwarding feature in SSH allows using your local SSH agent to be reached through an existing SSH connection. This way you don’t have to store copies of your private keys on intermediate systems to use them for authentication. While SSH agent forward simplifies things, it also introduces a new risk related to Unix domain socket. If a user on the intermediate system can access the related socket, then it may abuse this connection back to the SSH agent to authenticate on your behalf.

How to start the SSH agent?

When the SSH agent is not running, how can you start it? In this article we will have a look at the options.

Summary

The ssh-agent command is started manually using eval $(ssh-agent). This will initiate the SSH agent and make it available for clients, such as ssh, to use it.

To confirm that the agent is running is by looking at the SSH_AUTH_SOCK environment variable.

Automatic start of SSH agent

Gnome Keyring SSH Agent

When using Gnome, it typically comes with its SSH agent as part of Keyring. This will automatically load any files in ~/.ssh when both the secret and public key is available.

What is the purpose of the SSH agent?

What is the purpose of the SSH agent and when to use it?

Summary

The ssh-agent command starts the SSH agent, a helper utility to store private keys when using public key authentication. The ssh-agent process is usually started at the the beginning of a login session and then can be connected to by a SSH client. Clients can detect the environment variable named SSH_AUTH_SOCK.

How to disable the usage of the SSH agent

Learn how to disable the usage of the SSH agent when authenticating.

Summary

Disable usage of SSH agent identities