If you are reading my blog, odd are you already know how to use ssh-add to manage you SSH keys. If not, you can read up on it.

Up to speed? ssh-add has a few other features that people, including me, forget about. Let’s take a look.

Listing

You can list the currently loaded keys with -l and -L. The former displays the keys’ fingerprints while the latter displays the entire public key. Both list the path of file the key came from, which it the only way I recognize them.

Deleting.

ssh-add -d file removes the key the file from the agent. ssh -D clears out all keys, taking you back to square one.

Locking

You can simply run ssh-add -D to remove all of your keys from the Agent, but then you have to go through the trouble of adding them back. However, if you just want to step away and make sure your keys are protect, you can use ssh-add -x:

1
2
3
4
% ssh-add -x
Enter lock password:
Again:
Agent locked.

The Agent still has your keys, but won’t allow them to be used until unlocked with ssh-add -X:

1
2
3
ssh-add -X
Enter lock password:
Agent unlocked.

Expiring

Instead of locking your keys, you can set an auto-expiry with -t after which the key will automatically be deleted from the agent:

1
2
3
4
ssh-add -t 60  ~/.ssh/random_rsa
Enter passphrase for /Users/spike/.ssh/random_rsa:
Identity added: /Users/spike/.ssh/random_rsa (/Users/spike/.ssh/random_rsa)
Lifetime set to 60 seconds

OS X Specific

On OS X ssh-add is integrated with the system keychain. If you give the -K option, as in ssh-add -K, when you add a key, that key’s password will be added to the keychain. As long as your keychain is unlocked, a key that has been stored in this way doesn’t require a password to be loaded into the agent.

All keys with their password stored in the keychain will automatically be loaded when you run ssh -A. This happens automatically on login.

I have mixed feeling about this feature, preloading your keys makes life easier, but it does remove a layer of security. If someone access your Mac, they get your keys. On the other hand, the probably get a lot of other things too. Typically, I take the lazy approach for everyday keys and keep the high-security ones out of the keychain.

When a password has been stored in keychain, ssh -K -d key-file both removes the key from the agent and removes it password from the keychain. Without -K, -d does not change the keychain and the key can be reloaded without a password. -D silently ignores -K.

There you have it, a pretty small but surprisingly helpful set of features, you now have in your bag of tricks.

Comments