21

After creating keys with name id_rsa at it's default location. I am adding identity to SSH agent with command ssh-add ~/.ssh/id_rsa, It's adding successfully.

I can SSH without entering pass phrase of key as It's already with SSH Agent.

But ,when I restart machine or server and then check for identity with command ssh-add -L I am getting message like The agent has no identities.

Does that means when we restart machine, Agent lost identity? Is this normal behavior or some thing I am missing here?

Please guide me, I am not much familiar with SSH.

Niks
  • 871

5 Answers5

17

It's normal. The purpose of a key agent is just to hold decrypted keys in memory, but it will never write them to disk. (That would defeat the purpose – why not just unprotect the main key instead?)

So the keys must be unlocked on each login, and you need to automate this – on Linux using pam_ssh is one option; it automatically uses your OS password to unlock the agent. Another similar module is pam_envoy, which is slightly more reliable afaik (but requires systemd).

Both modules will start the agent itself and load keys automatically.

grawity
  • 501,077
7

On OS X, ssh-add has a special flag to connect to Keychain if you decide to store your private key in there.

Just run ssh-add -K ~/.ssh/id_rsa.

I believe this answers your question more fully. This OS X specific flag is hard to find documentation for but it's been working since at least OS X Leopard.

Olivier Lacan
  • 178
  • 1
  • 5
2

It needs to be unlocked after each reboot in order to be loaded into memory. To do this, add the following to your ~/.bashrc:

eval $(ssh-agent)
ssh-add ~/.ssh/id_rsa

Don't name a key pair id_rsa when you create it. Give keys a meaningful name related to the resource you're trying to access. It can be anything, there's nothing special about the default name id_rsa.

Chris Halcrow
  • 597
2

Try to this to your ~/.bashrc:

if [ ! -S ~/.ssh/id_rsa ]; then
  eval `ssh-agent`
  ln -sf "$SSH_AUTH_SOCK" ~/.ssh/id_rsa
  ssh-add
fi
export SSH_AUTH_SOCK=~/.ssh/id_rsa

This should only prompt for the password once you are login.

Shiro
  • 717
  • 5
  • 14
  • 27
1

This solution is handy if your ssh keys are passphrase protected.

The problem with all the answers above is that if your private key is passphrase protected, every time you launch a new terminal and try to use the private key, you have to type in the passphrase and you will end up running multiple copies of the ssh-agent in memory. The solution is to add the following in your ~/.bashrc or ~/.zshrc:

##### START Fix for ssh-agent #####
# Ref: http://mah.everybody.org/docs/ssh

SSH_ENV="$HOME/.ssh/environment"

function start_agent {
     echo "Initialising new SSH agent..."
     /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
     echo succeeded
     chmod 600 "${SSH_ENV}"
     . "${SSH_ENV}" > /dev/null
     /usr/bin/ssh-add;
}

# Source SSH settings, if applicable
if [ -f "${SSH_ENV}" ]; then
     . "${SSH_ENV}" > /dev/null
     #ps ${SSH_AGENT_PID} doesn't work under cywgin
     ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
        start_agent;
     }
else
     start_agent;
fi
##### END Fix for ssh-agent #####

This will ask for the passphrase of your ssh private key(s) only once when you launch a terminal. Subsequent opening of new terminal sessions (or tmux seesions) will reuse the ssh-agent created by the snippet above.

Reference

GMaster
  • 111