How to make ssh-agent automatically add the key on demand?

ssh ssh-agent

I want to run ssh-agent (with maximum lifetime option), but not add any keys at startup, but instead add them on demand.

Like first time I login to some server it should ask for passphrase, next time (unless I waited for more than a hour) it should connect cleanly:

ssh server1
Enter passphrase for key '/home/vi/.ssh/id_dsa':
server1> ...

ssh server2
server2> # no passphrase this time

# wait for lifetime

ssh server2
Enter passphrase for key '/home/vi/.ssh/id_dsa':

I don't want to manually remember about running 'ssh-add' each time. (e.g. entered passphrase for just for ssh and "Oh, it hasn't remembered, need to retype").

How to configure ssh to automatically add key to ssh-agent if user provided the passphrase?


Solution 1:

ssh supports adding a key to the agent on first use (since version 7.2).  You can enable that feature by putting the following into ~/.ssh/config:

AddKeysToAgent yes

This also works when using derivative tools, such as git.

From the 7.2 changelog:

  • ssh(1): Add an AddKeysToAgent client option which can be set to 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'.  When enabled, a private key that is used during authentication will be added to ssh-agent if it is running (with confirmation enabled if set to 'confirm').

Solution 2:

You could cheat and put something like alias ssh='ssh-add -l || ssh-add && ssh' on your .bashrc / .profile. This first runs ssh-add -l, which can return 0 (there are keys on agent), 1 (no keys) or 2 (no agent running); if it returns 0, ssh will run; if 1, ssh-add will run and then ssh; if 2, ssh-add will fail and ssh won't be run. Replace the && with ; if you want ssh to run even when there's no agent running.

Solution 3:

Until auto-call-ssh-add is supported by ssh, I added this in my .bashrc, based on Kovensky proposal:

ssh-add -l >/dev/null || alias ssh='ssh-add -l >/dev/null || ssh-add && unalias ssh; ssh'

The alias is created only if the identity is not added, and the alias destroys itself once run.

This way the regular ssh command is used after the identity has been added.

Solution 4:

I'm using the following shell function:

ssh() {
    local possible_keys=($(/usr/bin/env ssh -G $@ | grep '^identityfile' \
                           | cut -d " " -f 2- | sed -e "s|^~|$HOME|"))
    for k in $possible_keys; do
        if [[ -f $k ]]; then
            local fingerprint=$(ssh-keygen -lf $k)
            ssh-add -l | grep -q "$fingerprint" || ssh-add $k
        fi
    done
    /usr/bin/env ssh $@
    return $?
}

It first resolves the configuration for the host I'm trying to connect to, then adds possible keys for that host to the ssh-agent if they're not added yet and finally connects to the host. I'm sure it can be improved, so I'm open for feedback.

Related

How to tar a directory preserving not only permissions, but ownership too
Is there any way to set the priority of a process in Mac OS X?
Force-refreshing only JavaScript files in Firefox and Chrome
How do I speed up a video by 60X in ffmpeg?
How to split a multipage TIFF file on Windows?
How to use A-B repeat feature of VLC?
How to use Cmd's tab autocomplete effectively?
How do I convert a .PNG into a .ICO?
Why are USB flash drives so much slower than SSDs?
How to view serial COM ports but not through Device Manager
What does Matroska have which WebM doesn't, that made the differentiation necessary?
terminal tool (linux) for repair corrupted zip files