ssh-agent makes it practical to use passphrases on your private keys. The principle is to use ssh-agent to add your keys to a background agent on the system that will hold them in escrow. You give your passphrase only once, when you add the key. The agent will give the keys out to other processes owned by you that request the keys. You should be aware that the root user can also request the keys without your noticing, so you must trust the root user.

The process is quite simple; start the agent, and then add the passphrase you used to create the key:

$ eval `ssh-agent`
Agent pid 11487
$ ssh-add
Enter passphrase for /home/janl/.ssh/id_dsa: passphrase
Identity added: /home/janl/.ssh/id_dsa (/home/janl/.ssh/id_dsa)

By default, all your keys will be added. If several of your keys have the same passphrase, they will all be added without further questions. If they have different passphrases, ssh-add will be prompted for them. If you include a file on the ssh-add command line, the key in that file will be added and the command will not prompt for keys.

ssh-agent works by setting two environment variables: SSH_AUTH_SOCK, which names the socket on which to communicate with the agent, and SSH_AGENT_PID, which makes it easy to kill the agent. That is also why the PID (process ID) shows up in the previous listing. The agent emits a shell script that, when evaluated, sets those variables correctly.

Since using passphrases makes remote logins immeasurably more convenient, it may be a good ...

Get LPI Linux Certification in a Nutshell, 3rd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.