Using PKCS#8 encrypted private keys w/ ssh-agent

Unsetting SSH_AUTH_SOCK is a workaround, but doing so disables ssh-agent, which some people might still want to use.

It seems that ssh-agent can't sign anything with the private key because it doesn't properly decrypt it when automatically adding this key to the keyring.

If one generates the standard id_rsa identity file in ~/.ssh, or stores a private key along with its public key in ~/.ssh, ssh-agent automatically adds this to its keyring. But when doing so, it doesn't prompt for a passphrase, it doesn't ever decrypt the key.

The solution is to add the key manually. Remove all pkcs#8 encrypted keys from the ssh-agent using ssh-add -D and move private+public key files out of ~/.ssh. reboot or ssh-agent -k, then move back your pkcs#8 encrypted PRIVATE key to ~/.ssh. Using ssh-add, one is prompted for the decryption passphrase. ssh-agent can now access the unencrypted private key, and therefore sign stuff with it.

(via Damon Dransfeld)