Stupid ssh-add Tricks
If you are reading my blog, odd are you already know how to use
ssh-add
to manage you SSH keys. If not,
you can read up on it.
Up to speed? ssh-add
has a few other features that people,
including me, forget about. Let’s take a look.
Listing
You can list the currently loaded keys with -l
and -L
. The former
displays the keys’ fingerprints while the latter displays the entire
public key. Both list the path of file the key came from, which it the
only way I recognize them.
Deleting.
ssh-add -d file
removes the key the file from the agent. ssh -D
clears out all keys, taking you back to square one.
Locking
You can simply run ssh-add -D
to remove all of your keys from the
Agent, but then you have to go through the trouble of adding them
back. However, if you just want to step away and make sure your keys are
protect, you can use ssh-add -x
:
% ssh-add -x
Enter lock password:
Again:
Agent locked.
The Agent still has your keys, but won’t allow them to be used until
unlocked with ssh-add -X
:
ssh-add -X
Enter lock password:
Agent unlocked.
Expiring
Instead of locking your keys, you can set an auto-expiry with -t
after which
the key will automatically be deleted from the agent:
ssh-add -t 60 ~/.ssh/random_rsa
Enter passphrase for /Users/spike/.ssh/random_rsa:
Identity added: /Users/spike/.ssh/random_rsa (/Users/spike/.ssh/random_rsa)
Lifetime set to 60 seconds
OS X Specific
On OS X ssh-add
is integrated with the system keychain. If you give
the -K
option, as in ssh-add -K
, when you add a key, that key’s
password will be added to the keychain. As long as your keychain is
unlocked, a key that has been stored in this way doesn’t require a
password to be loaded into the agent.
All keys with their password stored in the keychain will automatically
be loaded when you run ssh -A
. This happens automatically on
login.
I have mixed feeling about this feature, preloading your keys makes life easier, but it does remove a layer of security. If someone access your Mac, they get your keys. On the other hand, the probably get a lot of other things too. Typically, I take the lazy approach for everyday keys and keep the high-security ones out of the keychain.
When a password has been stored in keychain, ssh -K -d key-file
both
removes the key from the agent and removes it password from the
keychain. Without -K
, -d
does not change the keychain and the key
can be reloaded without a password. -D
silently ignores -K
.
There you have it, a pretty small but surprisingly helpful set of features, you now have in your bag of tricks.
Comments