How do I make git use ssh-add (when necessary)?

On Linux (CentOS, in case that matters), I'm having a problem with git commands. git can take advantage of keys loaded into the ssh-agent cache, but if the keys aren't loaded, it doesn't seem to take any steps to load them (such as calling ssh-add).

I have ~/.ssh/config set up like so:

$ cat ~/.ssh/config 
Host github.com
    User git
    PreferredAuthentications publickey
    IdentityFile ~/.ssh/github_id_rsa

My system already has ssh-agent set up. I believe it's using an implementation supplied by Gnome ( http://live.gnome.org/GnomeKeyring/Ssh ).

I can manually add my github key with the "ssh-add" command. When I do, I can see that the key is loaded using "git add -l" and the git commands that connect remotely (eg "git remote update") work without prompting for a passphrase.

What I still want git commands to do is:

By default, if ssh-agent is running and the necessary key is not already loaded, use ssh-add to load the key into ssh-agent.
ssh-add appears to need help (via a parameter) if the key file is not one of the default filenames (eg 'id_rsa', 'id_dsa', or 'identity'). This seems backward. I have a mapping from hostname to IdentityFile specified in ~/.ssh/config as shown above. Shouldn't ssh-add be able to use that?

Also...

To simplify the problem, I tried removing the 'IdentityFile' mapping from ssh-config, and renaming the key files to the default names (id_rsa and id_rsa.pub). This does allow "ssh-add" to add the key without any additional arguments, but even in this simplified scenario I don't see git commands adding any keys to the ssh-agent cache.

I have the same ~/.ssh/config on my MacOS (Snow Leopard) machine, and it seems to be doing exactly the right thing. But how can I get this behavior in Linux? I'm not sure whether this is due to a difference in the implementation or configuration of ssh-agent, ssh-add, git, or some combination.

Edit: After thinking about this a bit more, I'm thinking this should have much more to do with the ssh tools (perhaps most importantly ssh-agent?) rather than git. After all, this behavior should be the same for any process attempting to make ssh connections using the keys and settings in ~/.ssh, including the ssh command itself.

Charlie

Posted 2011-08-20T22:01:26.917

Reputation: 501

Answers

Short answer: OpenSSH doesn't support this, but modified versions of it, or alternative implementations of ssh-related tools, can do this.

Longer answer:

OpenSSH doesn't do this for the reasons given in Chris Johnsen's answer on this page. However, it is possible to get this behavior on Linux by using Gnome Keyring, which provides its own ssh-agent.

In the question I posted, I said that I thought I was using Gnome Keyring (since I was using Gnome) but I wasn't. I had just installed CentOS 5, and in that setup, I'm pretty sure the ssh-agent daemon running was the one from OpenSSH.

I tried this again with Ubuntu 11.04, which is definitely using Gnome Keyring's ssh-agent. In that setup, I get the behavior sought in the question.

Charlie

Posted 2011-08-20T22:01:26.917

Reputation: 501

Default OpenSSH just does not do what you want. The ssh program will use any key that is already loaded into the configured agent, but it never adds keys to the agent.

The “add to the agent any password protected key used by ssh” behavior is due to Apple’s changes to the version of ssh it bundles with Mac OS X.

A typical run of ssh will use load_identity_file from sshconnect2.c.

Apple adds to load_identity_file a call to keychain_read_passphrase from keychain.c (this file comes completely from Apple).

keychain_read_passphrase uses ssh_add_identity_constrained from authfd.c to store the loaded key into the agent.

The only other user of ssh_add_identity_constrained is ssh-add.c (ssh-add); the lower level “constants” SSH2_AGENTC_ADD_IDENTITY and SSH2_AGENTC_ADD_ID_CONSTRAINED are also only used in authfd.c in ssh-agent.c (ssh-agent).

Thus, usually only ssh-add loads keys into the agent, but Apple extended ssh to also load keys into the agent when it does its GUI prompting for a key’s passphrase.

Chris Johnsen

Posted 2011-08-20T22:01:26.917

Reputation: 31 786

Thank you for a very thoroughly researched answer! I think the only remaining part of the question is "How can I get this behavior in Linux?" It looks like you've made a sold case that this can't be done with default OpenSSH by itself. I'm thinking the place to look is probably in the tools provided with desktop environments, ie GNOME and KDE. – Charlie – 2011-08-24T19:28:23.860

p.s. I really wanted to give this answer an up-vote but the site is telling me I don't have enough reputation to do that :( – Charlie – 2011-08-24T19:37:07.433

OpenSSH v7.2 added support for AddKeysToAgent.

ssh(1): Add an AddKeysToAgent client option which can be set to
'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When
enabled, a private key that is used during authentication will be
added to ssh-agent if it is running (with confirmation enabled if
set to 'confirm').

Apple adopted this OpenSSH standard way in macOS 10.12.2.

OpenSSH will no longer load keys into ssh-agent automatically. This aligns the macOS behavior with that of the upstream OpenSSH project.

It is possible for the user to re-enable loading keys into the agent by setting this option in the ssh configuration file:

AddKeysToAgent yes

go2null

Posted 2011-08-20T22:01:26.917

Reputation: 189