Understanding and using SSH agents

One thing we touched on briefly was the concept of an SSH agent.

When you SSH to a server (after setting up a key) and you're prompted for a passphrase, what you're actually doing is decrypting the private key part of your public-private key pair (the id_rsa file by default), so that it can be used to verify that you are who you say you are against the remote host. It can get tedious to do this each time you SSH to a server, especially if you're managing hundreds or thousands of constantly changing boxes.

That's where SSH agents come in. They're somewhere for your now-decrypted private key to live, once you've given it the passphrase, for the duration of your session.

Once you've got your private key loaded into your agent, the agent is then responsible for presenting the key to any servers you connect to, without you having to type your passphrase again, saving valuable seconds and finger strain.

Most desktop Linux distributions will start an SSH agent of some sort within your user session, sometimes unlocking your private keys when you log in to your user account.

macOS has a specific SSH config file option for UseKeychain (https://developer.apple.com/library/archive/technotes/tn2449/_index.html):

If you're running macOS on your desktop, you might consider this option.

On my Ubuntu laptop installation, looking for a running agent reveals this:

$ env | grep SSH
SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
SSH_AGENT_PID=1542

Looking for this process ID shows me what's running as my ssh-agent:

adam 1542 0.0 0.0 11304 320 ? Ss Aug04 0:02 /usr/bin/ssh-agent /usr/bin/im-launch env GNOME_SHELL_SESSION_MODE=ubuntu gnome-session --session=ubuntu

In this section, we're going to start an SSH agent on centos1 and load a key into it.