I‘m using a Mac OS X and combination of ssh-agent+ssh-add to adds RSA or DSA identities to the authentication agent. ssh-agent provides me a secure way of storing the private key. However, I’d like to expire identities added to the agent within half an hour. How do I set lifetime of identities added to the agent under Unix / Linux / BSD / Apple OS X operating systems?

Both the ssh-agent and ssh-add command has an option to set a default value for the maximum lifetime of identities added to the agent. The lifetime may be specified in seconds or in a time format specified in /etc/ssh/sshd_config file. A lifetime specified for an identity with ssh-add overrides this value. Without this option the default maximum lifetime is forever. The syntax is as follows to expire identities added to the agent within half an hour:

ssh-agent -t 30 bash


ssh-agent ksh
ssh-add -t 30

Time Format Examples

sshd server command-line arguments and configuration file options that specify time may be expressed using a sequence of the form:


where, time is a positive integer value and qualifier is one of the following:

Time Format Example
none (default) seconds ssh-agent -t 30
ssh-add -t 30
s or S seconds ssh-agent -t 30s
ssh-add -t 30S
m or M minutes ssh-agent -t 30m
ssh-add -t 30M
h or H hours ssh-agent -t 30h
ssh-add -t 30H
d or D days ssh-agent -t 1d
ssh-add -t 1D
w or W weeks ssh-agent -t 2w
ssh-add -t 2W

You can combine each member of the sequence from the above table and it is added together to calculate the total time value. In this example, expire identities added to the agent within 90 minutes:
$ ssh-agent bash
$ ssh-add -t 90m
$ ssh vivek@server1.cyberciti.biz

$ ssh-agent bash
$ ssh-add -t 1h30m
$ ssh vivek@server1.cyberciti.biz

The maximum lifetime is set to 90 minutes i.e. after 90 minutes you will not able to login to the server. So if someone stole your laptop or tried to access unprotected console session they will not able to use your private keys.

Say Hello To keychain

I strongly recommend that you use keychain as a manager for ssh-agent, typically run from ~/.bash_profile as follows:
$ /usr/bin/keychain --clear $HOME/.ssh/id_rsa
The above will delete all of ssh-agent’s keys. Typically this is used in .bash_profile. The theory behind this is that keychain should assume that you are an intruder until proven otherwise. However, while this option increases security, it still allows your cron jobs to use your ssh keys when you’re logged out.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 1 comment so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
1 comment… add one
  • Santiago Castro Aug 15, 2015 @ 18:52

    The default time set here sets 30 seconds not 30 minutes

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum