Network
ssh-agent
SSH authentication agent for managing private keys.
Additional Notes
ssh-agent is a program that holds private SSH keys in memory for use by SSH client programs. It runs in the background, either as a daemon or launched per-session, and provides key-based authentication without requiring repeated passphrase entry. Once a key is added via ssh-add, any SSH client can use it through the agent.
The agent communicates with SSH clients through a Unix domain socket, whose path is stored in the SSH_AUTH_SOCK environment variable. The SSH_AGENT_PID variable contains the process ID of the agent. When using agent forwarding (ssh -A), the local agent's socket is forwarded to remote sessions, allowing key-based authentication from remote hosts without storing keys there.
Syntax
ssh-agent [options] [command [arguments...]]
ssh-agent -c | -s
Parameters
options: Flags that change howssh-agentbehaves.target: Optional file, device, interface, user, service, or command target when the command supports one.
Common Options
-c: Generate C-shell compatible output (setenv commands).-s: Generate Bourne shell compatible output (export commands).-k: Kill the current agent (usingSSH_AGENT_PID).-d: Debug mode (run in foreground, show debug output).-a bind_address: Bind the agent socket to a specific address.-t life: Set a default maximum lifetime for loaded keys in seconds.-E fingerprint_hash: Specify the fingerprint hash algorithm (sha256, md5).-x: Lock the agent with a password (only for the lifetime of the agent).-X: Unlock the agent.
Examples
eval $(ssh-agent)
Start the SSH agent and set environment variables for the current shell.
ssh-agent -s
Output Bourne shell commands for setting agent environment variables.
ssh-agent -c
Output C-shell commands for setting agent environment variables.
ssh-agent bash
Start an agent and launch a new bash shell that inherits its environment.
ssh-agent -k
Kill the current agent (requires SSH_AGENT_PID to be set).
ssh-agent -t 3600
Start an agent where all added keys expire after 1 hour.
Practical Notes
- Always use
eval $(ssh-agent)in Bourne shells to properly set environment variables. - Many desktop environments automatically start
ssh-agentat login. - Use
ssh-add -lto verify keys are loaded in the agent. - Agent forwarding (
ssh -A) should be used with caution; anyone with root on the intermediate host can use the forwarded agent. - To avoid multiple agents, check if one is already running before starting a new one.
ssh-agentis typically configured to run per-session in~/.xsession,~/.bash_profile, or via PAM.