How to make ssh-agent automatically add the key on demand?
I want to run ssh-agent (with maximum lifetime option), but not add any keys at startup, but instead add them on demand.
Like first time I login to some server it should ask for passphrase, next time (unless I waited for more than a hour) it should connect cleanly:
ssh server1
Enter passphrase for key '/home/vi/.ssh/id_dsa':
server1> ...
ssh server2
server2> # no passphrase this time
# wait for lifetime
ssh server2
Enter passphrase for key '/home/vi/.ssh/id_dsa':
I don't want to manually remember about running 'ssh-add' each time. (e.g. entered passphrase for just for ssh and "Oh, it hasn't remembered, need to retype").
How to configure ssh to automatically add key to ssh-agent if user provided the passphrase?
Solution 1:
ssh supports adding a key to the agent on first use (since version 7.2).
You can enable that feature by putting the following into ~/.ssh/config
:
AddKeysToAgent yes
This also works when using derivative tools, such as git.
From the 7.2 changelog:
- ssh(1): Add an AddKeysToAgent client option which can be set to 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a private key that is used during authentication will be added to ssh-agent if it is running (with confirmation enabled if set to 'confirm').
Solution 2:
You could cheat and put something like alias ssh='ssh-add -l || ssh-add && ssh'
on your .bashrc
/ .profile
. This first runs ssh-add -l
, which can return 0 (there are keys on agent), 1 (no keys) or 2 (no agent running); if it returns 0, ssh
will run; if 1, ssh-add
will run and then ssh
; if 2, ssh-add
will fail and ssh
won't be run. Replace the &&
with ;
if you want ssh
to run even when there's no agent running.
Solution 3:
Until auto-call-ssh-add is supported by ssh, I added this in my .bashrc
, based on Kovensky proposal:
ssh-add -l >/dev/null || alias ssh='ssh-add -l >/dev/null || ssh-add && unalias ssh; ssh'
The alias is created only if the identity is not added, and the alias destroys itself once run.
This way the regular ssh command is used after the identity has been added.
Solution 4:
I'm using the following shell function:
ssh() {
local possible_keys=($(/usr/bin/env ssh -G $@ | grep '^identityfile' \
| cut -d " " -f 2- | sed -e "s|^~|$HOME|"))
for k in $possible_keys; do
if [[ -f $k ]]; then
local fingerprint=$(ssh-keygen -lf $k)
ssh-add -l | grep -q "$fingerprint" || ssh-add $k
fi
done
/usr/bin/env ssh $@
return $?
}
It first resolves the configuration for the host I'm trying to connect to, then adds possible keys for that host to the ssh-agent if they're not added yet and finally connects to the host. I'm sure it can be improved, so I'm open for feedback.