ssh-add tricks


From spike (


You can list the currently loaded keys with -l and -L. The former displays the keys’ fingerprints while the latter displays the entire public key. Both list the path of file the key came from, which it the only way I recognize them.


ssh-add -d file removes the key the file from the agent. ssh -D clears out all keys, taking you back to square one.


You can simply run ssh-add -D to remove all of your keys from the Agent, but then you have to go through the trouble of adding them back. However, if you just want to step away and make sure your keys are protect, you can use ssh-add -x:

% ssh-add -x
Enter lock password:
Agent locked.

The Agent still has your keys, but won’t allow them to be used until unlocked with ssh-add -X:

ssh-add -X
Enter lock password:
Agent unlocked.


Instead of locking your keys, you can set an auto-expiry with -t after which the key will automatically be deleted from the agent:

ssh-add -t 60  ~/.ssh/random_rsa
Enter passphrase for /Users/spike/.ssh/random_rsa:
Identity added: /Users/spike/.ssh/random_rsa (/Users/spike/.ssh/random_rsa)
Lifetime set to 60 seconds

OS X Specific

On OS X ssh-add is integrated with the system keychain. If you give the -K option, as in ssh-add -K, when you add a key, that key’s password will be added to the keychain. As long as your keychain is unlocked, a key that has been stored in this way doesn’t require a password to be loaded into the agent.

All keys with their password stored in the keychain will automatically be loaded when you run ssh -A. This happens automatically on login.

I have mixed feeling about this feature, preloading your keys makes life easier, but it does remove a layer of security. If someone access your Mac, they get your keys. On the other hand, the probably get a lot of other things too. Typically, I take the lazy approach for everyday keys and keep the high-security ones out of the keychain.

When a password has been stored in keychain, ssh -K -d key-file both removes the key from the agent and removes it password from the keychain. Without -K, -d does not change the keychain and the key can be reloaded without a password. -D silently ignores -K.

There you have it, a pretty small but surprisingly helpful set of features, you now have in your bag of tricks.

Setup public key ssh login and troubleshooting

Short note on how to setup ssh to login without a password

Generate and copy key

ssh-keygen -t rsa

Copy key

ssh [email protected] mkdir -p .ssh
cat .ssh/ | ssh [email protected] 'cat >> .ssh/authorized_keys'

Try logging in!

If that doesn’t work

Some host need proper permission and a second authorized_keys2

At the remote host

chmod 700 .ssh
cd .ssh
cp authorized_keys authorized_keys2
chmod 600 authorized_keys
chmod 600 authorized_keys2

SSH may settings may need to be modified

At the remote host

cd /etc/ssh
sudo vi sshd_config

Find the AuthorizedKeysFile line and uncomment it (or add it if it doesn’t exist)

AuthorizedKeysFile %h/.ssh/authorized_keys

Save file, restart sshd with

sudo service sshd restart

Further troubleshooting

Start a second instance of sshd on the remote machine, dump all output to console so you can diagnose

/usr/sbin/sshd -d -p 2222

On your machine, do

ssh -p 2222

Look for Authentication refused: in the logs, it should contains the reason your connection fails