How to make ssh-agent automatically add the key on demand?

I want to run ssh-agent (with maximum lifetime option), but not add any keys at startup, but instead add them on demand.

Like first time I login to some server it should ask for passphrase, next time (unless I waited for more than a hour) it should connect cleanly:

ssh server1
Enter passphrase for key '/home/vi/.ssh/id_dsa':
server1> ...

ssh server2
server2> # no passphrase this time

# wait for lifetime

ssh server2
Enter passphrase for key '/home/vi/.ssh/id_dsa':

I don't want to manually remember about running 'ssh-add' each time. (e.g. entered passphrase for just for ssh and "Oh, it hasn't remembered, need to retype").

How to configure ssh to automatically add key to ssh-agent if user provided the passphrase?

Vi.

Posted 2011-08-20T17:27:09.630

Reputation: 13 705

possible duplicate of Can I make ssh-agent wait until I use ssh to prompt for a password?

– user1686 – 2011-08-20T17:56:11.903

Answers

ssh supports adding a key to the agent on first use (since version 7.2). You can enable that feature by putting the following into ~/.ssh/config:

AddKeysToAgent yes

This also works when using derivative tools, such as git.

From the 7.2 changelog:

ssh(1): Add an AddKeysToAgent client option which can be set to 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a private key that is used during authentication will be added to ssh-agent if it is running (with confirmation enabled if set to 'confirm').

spheenik

Posted 2011-08-20T17:27:09.630

Reputation: 696

This requires a ssh-agent to be running. Refer to https://stackoverflow.com/a/24347344/4573065 + its comments for a good way to start it (only once).

– ST-DDT – 2018-07-10T09:23:15.250

you may want to make sure your ~/.ssh/config file has the right permissions with chmod 600 ~/.ssh/config – Kerem – 2020-01-03T18:56:09.400

You could cheat and put something like alias ssh='ssh-add -l || ssh-add && ssh' on your .bashrc / .profile. This first runs ssh-add -l, which can return 0 (there are keys on agent), 1 (no keys) or 2 (no agent running); if it returns 0, ssh will run; if 1, ssh-add will run and then ssh; if 2, ssh-add will fail and ssh won't be run. Replace the && with ; if you want ssh to run even when there's no agent running.

Jessidhia

Posted 2011-08-20T17:27:09.630

Reputation: 2 602

4It will request passphrase to the key even when further ssh command does not use it. – Vi. – 2011-09-09T15:02:18.813

@Vi. true, but rare are the commands that don't use them (unless you're connecting to a server that uses keyboard-interactive). The key will be in the agent whenever you need them afterwards though. Also, the alias fortunately (or unfortunately) doesn't change backend uses of ssh (such as with git or rsync). – Jessidhia – 2012-04-03T12:05:38.777

2(thinking about writing auto-call-ssh-add patch for ssh client) – Vi. – 2012-04-03T17:48:06.273

Based on this answer you can create an aliases for a specific hosts: alias ssh-hostname='(ssh-add -l | grep hostname > /dev/null) || ssh-add ~/.ssh/id_rsa_hostname && ssh -p 12345 username@hostname'. You could even put that in a loop for all your ssh keys and generate aliases. A dirty hack, but it works. – dset0x – 2013-04-19T16:04:31.747

Until auto-call-ssh-add is supported by ssh, I added this in my .bashrc, based on Kovensky proposal:

ssh-add -l >/dev/null || alias ssh='ssh-add -l >/dev/null || ssh-add && unalias ssh; ssh'

The alias is created only if the identity is not added, and the alias destroys itself once run.

This way the regular ssh command is used after the identity has been added.

Marc MAURICE

Posted 2011-08-20T17:27:09.630

Reputation: 654

Will not work in my case because of ssh-add also have timeout configured, but the idea is good enough. – Vi. – 2012-09-08T12:04:52.730

@Vi. How would a timeout affect this? It seems to work great for me. – lanrat – 2014-05-04T19:22:49.577

1@lanrat, This checks if key is present in ssh-agent and configures alias depending on the presence. But due to timeout (ssh-add -t ...) the key added to ssh-agent may go away abruptly, but and the alias will stay as it the key is still in memory. – Vi. – 2014-05-05T09:18:42.907

I'm using the following shell function:

ssh() {
    local possible_keys=($(/usr/bin/env ssh -G $@ | grep '^identityfile' \
                           | cut -d " " -f 2- | sed -e "s|^~|$HOME|"))
    for k in $possible_keys; do
        if [[ -f $k ]]; then
            local fingerprint=$(ssh-keygen -lf $k)
            ssh-add -l | grep -q "$fingerprint" || ssh-add $k
        fi
    done
    /usr/bin/env ssh $@
    return $?
}

It first resolves the configuration for the host I'm trying to connect to, then adds possible keys for that host to the ssh-agent if they're not added yet and finally connects to the host. I'm sure it can be improved, so I'm open for feedback.

mbrgm

Posted 2011-08-20T17:27:09.630

Reputation: 11