SSH Agent loses identity while restart machine

After creating keys with name id_rsa at it's default location. I am adding identity to SSH agent with command ssh-add ~/.ssh/id_rsa, It's adding successfully.

I can SSH without entering pass phrase of key as It's already with SSH Agent.

But ,when I restart machine or server and then check for identity with command ssh-add -L I am getting message like The agent has no identities.

Does that means when we restart machine, Agent lost identity? Is this normal behavior or some thing I am missing here?

Please guide me, I am not much familiar with SSH.

Niks

Posted 2015-08-05T08:55:21.433

Reputation: 741

See this thread on Unix&Linux site.

– janosdivenyi – 2016-07-22T09:07:29.207

Answers

It's normal. The purpose of a key agent is just to hold decrypted keys in memory, but it will never write them to disk. (That would defeat the purpose – why not just unprotect the main key instead?)

So the keys must be unlocked on each login, and you need to automate this – on Linux using pam_ssh is one option; it automatically uses your OS password to unlock the agent. Another similar module is pam_envoy, which is slightly more reliable afaik (but requires systemd).

Both modules will start the agent itself and load keys automatically.

user1686

Posted 2015-08-05T08:55:21.433

Reputation: 283 655

any idea how to automate on mac osx terminal? – Niks – 2015-08-05T10:37:27.593

When I ran command $SSH_AUTH_SOCK I am getting result as: -bash: /tmp/ssh-gT43vE99vk/agent.511: Permission denied

I am confused here.. weather my agent forwarding working or not.. can you plz guide? – Niks – 2015-08-08T06:27:33.633

It's not meant to be used as a command – it's a variable, something you use as part of another command. For example echo $SSH_AUTH_SOCK to print its value. – user1686 – 2015-08-08T12:32:25.140

hey buddy.. any idea? http://stackoverflow.com/questions/31916395/libssh2-agent-forwarding-not-working

– Niks – 2015-08-10T10:19:46.050

Try to this to your ~/.bashrc:

if [ ! -S ~/.ssh/id_rsa ]; then
  eval `ssh-agent`
  ln -sf "$SSH_AUTH_SOCK" ~/.ssh/id_rsa
  ssh-add
fi
export SSH_AUTH_SOCK=~/.ssh/id_rsa

This should only prompt for the password once you are login.

Shiro

Posted 2015-08-05T08:55:21.433

Reputation: 619

Thanks for reply, That means SSH agent is working properly. And after adding this it won't require to add identity each time when start machine? Sorry if this is silly question but I am very new to ssh. – Niks – 2015-08-05T09:21:07.403

If you ssh key have password, it will prompt every time you login. – Shiro – 2015-08-05T09:51:22.193

This answer is harmful. If you do what it says, it will delete your private key. If you have no other way to authenticate, you will lose access to systems where you have been using public key authentication. – kasperd – 2016-03-28T23:13:45.433

On OS X, ssh-add has a special flag to connect to Keychain if you decide to store your private key in there.

Just run ssh-add -K ~/.ssh/id_rsa.

I believe this answers your question more fully. This OS X specific flag is hard to find documentation for but it's been working since at least OS X Leopard.

Olivier Lacan

Posted 2015-08-05T08:55:21.433

Reputation: 129

This is the proper answer, followed by a ssh-add -A which will add all keys in Keychain. Additionally, also create a ~/.ssh/config and add UseKeychain yes so macOS will always preserve your key, as described here: https://unix.stackexchange.com/questions/140075/ssh-add-is-not-persistent-between-reboots

– lucasarruda – 2017-10-03T21:50:41.900

My MacBook still forgets my identity when I reboot, even after trying this. – Dominic Sayers – 2018-06-05T13:55:16.030