Using SSH-Agent to Simplify Your SSH Experience

samuyi profile image Samuyi ・4 min read

Picture showing how ssh-agent works

SSH keys are used for identity management between an SSH server and client. Basically there are two uses of keys in SSH; to identify a server and to identify a user.
An SSH host key is used to identify a server, this ensures a client knows its talking to the right server. Usually host keys are stored in a secure repository maintained by a system administrator. When a server is provisioned, an administrator runs ssh-keyscan on the server address to get the server 's fingerprint of its keys. The server's host keys are generated on startup of the server if an SSH server is present.
The second use of SSH keys is to identity users to an SSH server. (If you're using a password on your SSH server better change to a public key to save your server from an impending dictionary attack.)Each time you try to access an SSH server you need to decrypt your private key, hence if you run:

$ ssh -l pat shell.isp.com
Enter passphrase for key '/home/you/.ssh/id_rsa': ************

You get prompted for your passphrase to decrypt your private key. It quickly gets annoying if you continuously get prompted for the passphrase every time you logout of your remote server temporarily, maybe for a bathroom break, and you have to login again. Won't it be so much better if you only got prompted once for your passphrase; perhaps initially when you boot up your work station at the beginning of work?

Supposing you have dozens of SSH servers you need to do some maintenance work on with a script. Each time the script tries to SSH into each of the servers you would have to enter the passphrase for each of the different private keys to authenticate you on every server. Assuming you have different keys for each server, which you absolutely should, It becomes a real pain in the butt to enter the passphrase for each private key. I know what your thinking; why not just store the passphrases on the client machine disk and have them fed into the script to automate authentication. You absolutely shouldn't do this because the client machine would store the passphrases in the history file also if any one with access to your machine runs ps while the script is running they'll see the passphrases in the command run by the script, even encrypting them on disk won't save you, worst of there is no way to find out if the passphrases have been compromised. What you need to do is use an ssh-agent, which is the subject of this article.

An ssh-agent is a program that caches private keys and responds to authentication related queries from SSH clients. It works with a another program called ssh-add to save you from having to retype your passphrases each time you try to authenticate to an SSH server, ssh-add adds and removes keys from the agent's key cache. A typical use might look like this:

# Start an agent  for bash like shells
$ ssh-agent $SHELL
# Load an SSH key
$ ssh-add .ssh/id_rsa
Enter passphrase for /home/you/.ssh/id_rsa:**********

By typing your passphrase once you save yourself from having to decrypt the keys each time you try to authenticate to an SSH server. Your private keys are now stored in memory by the agent. From now until you logout or terminate the agent the keys remain within the agent. SSH clients now contact the agent for all key based operations.
Agents perform two tasks:
Store your private keys in memory
Answer questions from SSH clients about those keys

They neither store your private keys on disk nor do they send them across the network. Any thing related to private keys that the SSH client needs to answer is handled by the agent.

Back to our hypothetical scenario of logging into numerous servers to carry out maintenance work. A human only needs to load the agent once with all the necessary keys for the various servers allowing the maintenance scripts carry out their functions unattended to. But of course, there is a complexity trade-off here; if you have 100 batch jobs, separate accounts or keys for each one may be too much to deal with. In that case, partition the jobs into categories according to the privileges they need, and use a separate account and/or key for each category of job. Better still you can store the passphrases for each of the servers on an external disk only mounting it when the need arises to get the passphrases. As long as there is no reboot of the system running the ssh-agent there would be no need to enter the passhrases again.

SSH agents are pretty much safe. Since the private keys are stored in memory only a very skilled attacker with root access can steal the keys in memory. However there are best practices to follow when using an agent. It is best not leave your terminal unattended while logged into your SSH client machine. While your private keys are loaded in an agent, anyone may use your terminal to connect to any remote accounts accessible via those keys, without needing your passphrase! Even worse a sophisticated intruder may succeed in stealing your keys from the your system. If you must step away from your SSH client machine ensure you logout . Even better you can run ssh-add -D to clear all keys loaded into your agent while you're away and load them back in when you return.

SSH agent is a powerful tool for automation while using SSH. They save having to type pass-phrases each time you want to decrypt a private key to access an SSH server .
They come installed with majority of the SSH clients since its pretty much part of the SSH protocol.

Posted on by:

samuyi profile



Developer, Devops enthusiast


markdown guide