>Setup and use ssh-agent. They make the life so easy.
My #1 ssh usability tip: put this into ~/.ssh/config:
AddKeysToAgent yes
It'll automatically add keys to your agent the first time you use them during a session, so you don't need a separate step for adding keys every time you log in.
> It'll automatically add keys to your agent the first time you use them during a session
If you have more than one private key in your agent, then SSH will try each one sequentially. That can lead to mistakenly getting banned by monitoring software for what can appear indistinguishable to be an authentication attack. Not to mention the wrongness of presenting "any and all keys" to any host you connect to.
If you have multiple keys in your agent, you _really_ should manually configure what key to present using `-i` or `IdentityFile`. But you should also use `IdentitiesOnly` too.
> If you have multiple keys in your agent, you _really_ should manually configure what key to present using `-i` or `IdentityFile`.
If you specify -i or IdentityFile, the agent isn't used at all. You will have to type the keyfile password even if the key is in the agent, therefore making the agent useless.
This "feature" has been a big annoyance for me, since I like to use different keys per machine.
There's no way that's true. I just checked and I have that option set on many of my ssh aliases, and ssh-agent functions exactly as expected.
Maybe it depends on version or something? I've had the same config for years though over several very different OSes and presumably versions of everything.
Wow, you're right. I tried again just now and it worked fine. In the past I tried for some time to get this setup working and was never able to do it. I don't know what I was doing wrong.
> If you specify -i or IdentityFile, the agent isn't used at all. You will have to type the keyfile password even if the key is in the agent, therefore making the agent useless.
I thought so as well, so the reply to this message surprised. I looked into it, and the following is the case on my Debian 18.04 machine running KDE:
With specifying the key through `IdentityFile` I can happily connect without a running ssh-agent. So it's true, that it can do without using the ssh-agent. But if the key has a password, it will prompt for it everytime it's used. I wouldn't phrase it "the agent isn't used at all", though, because for when ssh-agent is running, and it contains the key+password, it seems to happily use that agent, as it doesn't prompt for the password anymore.
Side note: If my understanding is correct, `IdentifyFile` lessens the need for consulting the ssh-agent as stated above, but, except from consulting it for the key password, the agent might be consulted for one more reason as well: Iterating over keys if using the specified one proved unfruitful. For this to stop, you'd have to specify `IdentitiesOnly yes` as well. But this I didn't test, so it's based on theoretical understanding only.
Edit: Oh, the last part was already explained in some other thread which branched of from this. So this post didn't actually provide some new insights, it seems.
I don't understand what `IdentitiesOnly` does. If I have `IdentityFile`s defined for hosts in ssh_config, doesn't that already accomplish what this does? Can you explain what situation `IdentitiesOnly` covers that is different from `IdentityFile`?
Author here. If you specify an IdentityFile then that’ll be tried first (as an explicit identity) but if that doesn’t work then by default, ssh-agent identities will be tried sequentially afterwards. IdentitiesOnly suppresses that behaviour.
I'd recommend you try "AddKeysToAgent confirm", then you'll get a prompt to approve the key usage each time its used. (Can be annoying for usage with automation like ansible).
Having a forwarded agent was how matrix recently got hacked, confirmation is a decent work around if you need to forward your agent.
It's still good info, I don't think it's obvious to most people. I was doing a pentest for a Fortune 500 company, and a key component of us compromising their entire network was a bastion host that controlled access to sensitive parts of their network. Turns out whoever controlled the machine made the rookie mistake of running a cron job as root that ran a non root-owned script, which enabled us to elevate and copy the ssh keys of a lot of IT staff.
Yes, be careful when using ForwardAgent and, more importantly, avoid using it altogether unless you absolutely need to!
Most "use cases" I've come across could have been solved "better" by simply using ProxyCommand instead. That was apparently too hard, though, so use of agent forwarding continued.
Since the introduction of ProxyJump a while back, however, it's now even easier to avoid using agent forwarding in most -- but not all -- cases.
So yes, be careful when using agent forwarding but, more importantly, as much as possible, just avoid using it entirely unless you absolutely must!
Sometimes I log into a machine and would like to ssh-clone a git repository there using the private key I've got on my local machine. Is there a way around forwarding my ssh-agent in this case?
> 2. Don't use agent forwarding unless you know you can trust the machine on the other end.
This gets said a lot, but doesn't forcing a prompt every time the forwarded key gets used mitigate this? SSH is not like surfing on the web with traffic flowing everywhere all the time. If you did not just now run any commands that are expected to invoke SSH, you probably don't want to answer yes to that prompt.
> Don't use agent forwarding unless you know you can trust the machine on the other end.
On both ends. Agent hijacking can happen on client or server, with an attacker present. And is there any machine you can 'trust' ? That's a big ask, and I think the modern 'zero trust' is fundamentally averse to the concept.
I've not noticed this option before, so will this replace keychain? I install this on every new laptop I use so I essentially only have to enter my ssh-agent password for the key once per reboot, and every bash shell hooks into it automatically.
My #1 ssh usability tip: put this into ~/.ssh/config:
It'll automatically add keys to your agent the first time you use them during a session, so you don't need a separate step for adding keys every time you log in.