This is one part in a series on OpenSSH client configuration. Also
read Elegant OpenSSH Configuration
and Secure OpenSSH Defaults.
As part of another SSH client article we potentially generated a new
ssh key for use in ssh public-key authentication.
$ ssh-keygen -t rsa -b 4096 # if you don't already have a key
SSH public-key authentication has intrinsic benefits; but many see it
as a mechanism for non-interactive login: you don't have to remember,
or type, a password.
This behavior is dependent, however, on having a non-encrypted private
key. This is a security risk, because the non-encrypted private key
may be compromised, either by accidential mishandling of the file or
by unauthorized intrusion into the client system. In almost all cases,
ssh private keys should be encrypted with a passphrase.
$ ssh-keygen -t rsa -b 4096 -f test
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
If you already have a passphrase that is not encrypted, use the
ssh-keygen to set one.
$ ssh-keygen -p -f ~/.ssh/id_rsa
Now the private key is protected by a passphrase, which you'll be
prompted for each time you use it. This is better than a password,
because the passphrase is not transmitted to the server; but we've
lost the ability to authenticate without having to type anything.
OpenSSH provides a dedicated agent process for the sole purpose of
handling decrypted ssh private keys in-memory. Most Unix and Linux
desktop operating systems (including OS X) start and maintain a
per-user SSH agent process automatically.
$ pgrep -lfu $USER ssh-agent
815 /usr/bin/ssh-agent -l
ssh-add command, you can decrypt your ssh private key by
inputing your passphrase once, adding the decrypted key to the running
$ ssh-add ~/.ssh/id_rsa # the path to the private key may be omitted for default paths
Enter passphrase for /Users/joan5896/.ssh/id_rsa:
Identity added: /Users/joan5896/.ssh/id_rsa (/Users/joan5896/.ssh/id_rsa)
The decrypted private key remains resident in the
$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAuuq61MFxmPDHf806s65O6pljn1hM/BB6XpDPu52YjOSriTtN2cgo1CpDDXNJffiwjvodr7Sq0UBTKcFvZzu41N5oGy5ob3H4axY+SRjs7giSYJna3OB+ABO3PV4LduEpt9IOFue7Q8Q0xvtSeZdNqPq2jPGXuxviFzBCVebkFE6BDdL6NI3Y591DIs2LZwm+v/wHk9cLjo//beWyMl7Gku5jnvCNozo7VBS6nfPcFW9SScAH8ow/2XP0sF4+YCOIbikQ6R69Dl18il8MumQUt+Cxc4cL39zjIuzpuGjhSTEb3TY3crHU8TH7cdhY7+WW1Ab8A19gec2vwAbAEOtdx24L7nXA2SFiImuO0FtQBS6gYp9BMKlotm0xBsNzvGsutIz6nb3iA/4OuVV9wUcE3SpicY0nE7Xn1LKfZdeSc+Jjs7K3Sry9SeTJ7awwaqQDEeAhw6GM5PUaZStwtheQe5tAe/OnwRR8J8lCXI+VUOnoTogOG7md99beygNuF1VEPHp044sjLzOf0ubcZYdA0jXqddkxG4S9TNFPNZ7dxGwdLQqWoqnwBDat4xHQ7g7ifdy1F3WKj2V+BVl4owCzlWYCRtgN5f6O18MLAjBLG0Mdd6jZoMGyBHG8jlJkMFNNiuwRqT53mR+hTFMFOHEe+DJXDPgBisLs19HBbK4MM9k= /Users/joan5896/.ssh/id_rsa
This is better than a non-encrypted on-disk private key for two
reasons: first the decrypted private key exists only in memory, not on
disk. This makes is more difficult to mishandle, including the fact
that it cannot be recovered without re-inputing the passphrase once
the workstation is powered off. Second, client applications (like
OpenSSH itself) no longer require direct access to the private key,
encrypted or otherwise, nor must you provide your (secret) key
passphrase to client applications: the agent moderates all use of the
The default OpenSSH client will use the agent process identified by
SSH_AUTH_SOCK environment variable by default; but you generally
don't have to worry about it: your workstation environment should
configure it for you.
$ echo $SSH_AUTH_SOCK
At this point, there's nothing more to do. With your ssh key added to
the agent process, you're back to not needing to type in a password
(or passphrase), but without the risk of a non-encrypted private key
stored permanently on disk.