Reflection for Secure IT for UNIX > User Authentication > Public Key Authentication > Use the Key Agent

Use the Key Agent

You can use the key agent, ssh-agent, to manage the private keys that you use for authentication. The agent enables you to store private keys and use these keys to authenticate ssh, scp, and sftp sessions. Because passphrases are required only when you add keys to the agent, using the agent can simplify scripting that relies on ssh. By default, the connection to the agent can be forwarded, which means you can use the stored identities securely anywhere in the network.

NOTE:Because agent forwarding creates an added security risk, you may want to disallow it. Use ForwardAgent on the client and AllowAgentForwarding on the server.

To launch the agent in your current shell

  • Use the following command:

    eval `ssh-agent`

    When you launch using eval, you need to terminate the process manually. You can use the PID, or use -k, as shown here:

    ssh-agent -k

To launch the agent in a subshell

  • Use the command argument to specify your shell; for example:

    ssh-agent $SHELL

    When you launch the agent in a subshell, it terminates automatically when you log out of the shell.

To add keys to the agent

  • Use ssh-add; for example, to start the agent in your current shell and load it with the keys in your identification file, use the following command sequence:

    eval `ssh-agent`
ssh-add

    You are prompted for passphrases when keys are added to the agent. After you have loaded the keys, you can connect to the servers that require any of the loaded keys without having to enter a passphrase.

    NOTE:

    • When you run ssh-agent alone on the command line, a display appears showing how to configure required environment variables. However, these required variables aren't yet configured. To configure the environment variables you can copy the displayed text, paste it to the command line, and execute the command. Until you do this, you won't be able to use ssh-add. This additional step is not required when you use eval or $SHELL as shown in the preceding examples.

    • If you use X11, call ssh-add with '< /dev/null' to activate the ssh-askpass prompting window. This window is used for passphrase prompts.

    • If you are using private keys associated with X.509 certificates, use the ssh-add -x option to add these keys to the key agent:

      ssh-add -x

Related Topics