How to use ssh-agent for authentication on Linux / Unix

How do I use the ssh-agent command for non-interactive authentication on Linux and Unix-like systems such as macOS or FreeBSD desktop? My private key is protected with a passphrase or password. So I need have to enter the passphrase to use the ssh private key for authentication multiple times. How can I tell ssh ask the passphrase one time only?

You need to use the ssh-agent command. It would hold your private keys used for ssh public key authentication. In other words, ssh-agent remember and temporarily stores the passphrase in memory. Then as soon as you use the ssh command with the private key, ssh-agent will kick in to provide the passphrase for ssh session. Consequently, eliminating typing the passphrase again.
Tutorial requirements
Operating system/appLinux, macOS, *BSD and Unix-like
Root privileges required No
Difficulty Easy (rss)
Estimated completion time 5m
Table of contents


Using ssh-agent command for non-interactive authentication

Open the terminal and type the following command:
$ eval $(ssh-agent)
$ eval `ssh-agent`

You will see the PID of the ssh-agent as follows on screen:

Agent pid 97280

Use ssh-add to add the private key passphrase to ssh-agent

Now our ssh-agent is running, and you need to provide the passphrase for your ssh private keys. For example, run the ssh-add command:
$ ssh-add
Type the passphrase:

Enter passphrase for /home/vivek/.ssh/id_ed25519: 
Identity added: /home/vivek/.ssh/id_ed25519 (vivek@nixcraft)

By default it adds the files ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, and ~/.ssh/id_ed25519_sk. But, we state another private key file as follows:
$ ssh-add ~/.ssh/aws-web-servers

Setting up a maximum lifetime for identities/private keys

Pass the -t life to the ssh-add command to s a maximum lifetime when adding identities to an agent. The lifetime may be specified in seconds or in a time format specified in sshd_config file:
$ ssh-add -t 1800 # 1800 seconds
$ ssh-add -t 45m # 45 minutes
$ ssh-add -t 3h42 # 3 hours 42 minutes

Remember, you can configure GNOME/KDE or macOS desktop to run ssh-agent and unlock keys automatically when log-in. For example:
GNOME use ssh-agent for authentication on Linux

Use ssh-agent for ssh/sftp/scp command authentication

Once you add the private key (or keys) to the ssh-agent, all you have to do is use ssh, sftp, scp, and all other ssh commands. For instance, I will execute the ssh command for my FreeBSD backup server:
$ ssh user@server
$ ssh user@hostname_or_ip
$ scp file.doc
# State the private key for public key authentication #
$ ssh -i ~/.ssh/aws-web-servers ec2-user@rhel8-web-server
$ ssh -i ~/.ssh/linode-nixcraft-servers vivek@
$ ssh vivek@

How to use ssh-agent for authentication on Linux and Unix

The ssh-agent for non-interactive ssh authentication in action on my Ubuntu Linux desktop

Please note that When you log out of your shell or close terminal session that started ssh-agent, the passphrases will be removed from system memory.

How to list my private keys cached by ssh-agent

Run the following command to lists fingerprints of all identities/private keys:
$ ssh-add -l

256 SHA256:uym82.....6VLU vivek@nixcraft (ED25519)
2048 SHA256:GVs...S0AA root@backup-servers (RSA)
3072 SHA256:VLg8...SCDFpA key for local lxds (RSA)

Want to see list all public key parameters of all identities:
$ ssh-add -L

Deleting all cached ssh-agent private keys

Pass the -D option to the ssh-add command:
$ ssh-add -D
You will see confirmation as follows on screen:

All identities removed.


In this quick tutorial, you learned how to use ssh-agent for authentication and list/clear out private keys from memory when needed under Linux or Unix-like systems. For further information, see OpenSSH documentation or use the man command to read man pages:
$ man ssh-agent
$ man ssh-add
$ man ssh
$ man sftp
$ man scp
$ man sshd_config

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.