From spike (https://stuff-things.net/2016/02/11/stupid-ssh-add-tricks/)
You can list the currently loaded keys with
-L. The former displays the keys’ fingerprints while the latter displays the entire public key. Both list the path of file the key came from, which it the only way I recognize them.
ssh-add -d file removes the key the file from the agent.
ssh -D clears out all keys, taking you back to square one.
You can simply run
ssh-add -D to remove all of your keys from the Agent, but then you have to go through the trouble of adding them back. However, if you just want to step away and make sure your keys are protect, you can use
1 2 3 4
The Agent still has your keys, but won’t allow them to be used until unlocked with
1 2 3
Instead of locking your keys, you can set an auto-expiry with
-t after which the key will automatically be deleted from the agent:
1 2 3 4
OS X Specific
On OS X
ssh-add is integrated with the system keychain. If you give the
-K option, as in
ssh-add -K, when you add a key, that key’s password will be added to the keychain. As long as your keychain is unlocked, a key that has been stored in this way doesn’t require a password to be loaded into the agent.
All keys with their password stored in the keychain will automatically be loaded when you run
ssh -A. This happens automatically on login.
I have mixed feeling about this feature, preloading your keys makes life easier, but it does remove a layer of security. If someone access your Mac, they get your keys. On the other hand, the probably get a lot of other things too. Typically, I take the lazy approach for everyday keys and keep the high-security ones out of the keychain.
When a password has been stored in keychain,
ssh -K -d key-file both removes the key from the agent and removes it password from the keychain. Without
-d does not change the keychain and the key can be reloaded without a password.
-D silently ignores
There you have it, a pretty small but surprisingly helpful set of features, you now have in your bag of tricks.