ssh-add is a helper program for ssh-agent.
ssh-add adds RSA or DSA identity files to the ssh agent. For ssh-add to work properly, the agent should be running, and have the SSH_AUTH_SOCK environment variable set.
1. Fix “Could not Open” Error (and Add Default RSA/DSA identities)
By default, when you try to execute the ssh-add command, you might get “Could not open a connection to your authentication agent.” error message as shown below.
$ ssh-add Could not open a connection to your authentication agent.
The reason is ssh-agent is not running.
But, if you start the ssh-agent as shown below, you’ll still get the same error.
$ ssh-agent SSH_AUTH_SOCK=/tmp/ssh-cYYsc14689/agent.14689; export SSH_AUTH_SOCK; SSH_AGENT_PID=14690; export SSH_AGENT_PID; echo Agent pid 14690; $ ssh-add Could not open a connection to your authentication agent.
In order to fix the issue, you should start the ssh-agent as shown below.
$ exec ssh-agent bash
Now, when you execute the ssh-add, it will add the ~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity files to ssh-agent, and will not throw any error message.
$ ssh-add Identity added: /home/ramesh/.ssh/id_rsa (/home/ramesh/.ssh/id_rsa) Identity added: /home/ramesh/.ssh/id_dsa (/home/ramesh/.ssh/id_dsa)
2. Display the entries loaded in ssh-agent
Use either -l or -L as shown below to display all the RSA and DSA entries that are currently loaded into the ssh-agent.
The following examples shows that there are two entries currently loaded to the ssh-agent.
$ ssh-add -l 2048 34:36:63:c2:7d:a5:13:e4 /home/ramesh/.ssh/id_rsa (RSA) 1024 ee:60:11:bf:1b:31:3b:fb /home/ramesh/.ssh/id_dsa (DSA) $ ssh-add -L ssh-rsa A2EAAAABIwAAAQEAtVRcaEnxOef0n5WLr9DV1JsLpx4E+P2Zf/N9JBLBbVKDD1BZf eRmLK8hZZKf0iva8+q1VNyxQB5oTfKGr79ll7KDRwfIgErw== /home/ramesh/.ssh/id_rsa ssh-dsa 8WDTpyJiLUNlIXSfCRe7nOjeMlgyn8vM3cWsosO0x4eMDYEMvefzhev0RAtbhyBvs WLLCwkaVzCZdZvsDa2cl7zKRd+3zLSfBQRa1wpMjJaeJbCg== /home/ramesh/.ssh/id_dsa
3. Delete all entries from ssh-agent
Use option -D as shown below to remove all the ssh entries from the ssh-agent.
$ ssh-add -D All identities removed. $ ssh-add -l The agent has no identities.
4. Delete specific entries from ssh-agent
Using -d option, you can specify exactly what entries you like to delete.
The following example will remove only the default RSA entry from the ssh-agent.
$ ssh-add -l 2048 34:36:63:c2:7d:a5:13:e4 /home/ramesh/.ssh/id_rsa (RSA) 1024 ee:60:11:bf:1b:31:3b:fb /home/ramesh/.ssh/id_dsa (DSA) $ ssh-add -d /home/ramesh/.ssh/id_rsa Identity removed: /home/ramesh/.ssh/id_rsa (/home/ramesh/.ssh/id_rsa.pub) $ ssh-add -l 1024 ee:60:11:bf:1b:31:3b:fb /home/ramesh/.ssh/id_dsa (DSA)
5. Lock (or) Unlock the SSH Agent
You can lock the ssh agent as shown below using -x option. Once you lock the agent, you cannot add, delete, or list entries in the ssh agent without a password.
$ ssh-add -x Enter lock password: Again: Agent locked.
After locking, if you try to add, you’ll se SSH_AGENT_FAILURE message as shown below.
$ ssh-add SSH_AGENT_FAILURE SSH_AGENT_FAILURE Could not add identity: /home/ramesh/.ssh/id_rsa
To unlock an agent, use -X option as shown below. Make sure you enter the same password that you gave while locking the agent. If you give a wrong password, you’ll set “Failed to unlock agent.” message.
$ ssh-add -X Enter lock password: Agent unlocked.