How to permanently add a private key with ssh-add on Ubuntu? [closed]

Asked 12/8, 2010 at 10:13 Answered 10/7, 2018 at 15:29

641

I have a private key protected with a password to access a server via SSH.

I have 2 linux (ubuntu 10.04) machines and the behavior of ssh-add command is different in both of them.

In one machine, once I use "ssh-add .ssh/identity" and entered my password, the key was added permanently, i.e., every time I shutdown the computer and login again, the key is already added.

In the other one, I have to add the key every time I login.

As far as I remember, I did the same thing on both. The only difference is that the key was created on the one that is added permanently.

Does anyone know how to add it permanently to the other machine as well?

Crisscross answered 12/8, 2010 at 10:13 Comment(3)

the agent should be temporary only; but it is possible you have the ssh-add command somewhere in ~/.bashrc or so on one of the both machines – Golgotha 25/10, 2018 at 11:24

This command worked for me ssh-add --apple-use-keychain ~/.ssh/id_rsa – Gothicize 19/12, 2022 at 12:41

That's what worked for Ubuntu 22.04.2. No password needed after reboots. cp key.pub ~/.ssh cp key ~/.ssh chmod 600 ~/.ssh/key.pub chmod 600 ~/.ssh/key – Thew 17/5, 2023 at 9:13

931

A solution would be to force the key files to be kept permanently, by adding them in your ~/.ssh/config file:

IdentityFile ~/.ssh/gitHubKey
IdentityFile ~/.ssh/id_rsa_buhlServer

If you do not have a 'config' file in the ~/.ssh directory, then you should create one. It does not need root rights, so simply:

nano ~/.ssh/config

...and enter the lines above as per your requirements.

For this to work the file needs to have chmod 600. You can use the command chmod 600 ~/.ssh/config.

If you want all users on the computer to use the key put these lines into /etc/ssh/ssh_config and the key in a folder accessible to all.

Additionally if you want to set the key specific to one host, you can do the following in your ~/.ssh/config :

Host github.com
    User git
    IdentityFile ~/.ssh/githubKey

This has the advantage when you have many identities that a server doesn't reject you because you tried the wrong identities first. Only the specific identity will be tried.

Stillwell answered 22/11, 2010 at 15:8 Comment(19)

Permissions on the config file should be 600. chmod 600 config – Roumell 1/5, 2014 at 5:39

I have to put in my password for every push, fetch, or clone with this, how do I avoid that? – Conal 10/7, 2014 at 9:33

Use instead ssh-add ~/.ssh/gitHubKey, it will remember your key passphrase. The solution I proposed was to set it permanently across reboots. – Stillwell 10/7, 2014 at 14:35

This answer is so good that ssh-add shouldn't exist. Who wants to have a command that "temporarily" fixes a problem and breaks unexpectedly when you can just edit a config file permanently. – Pyonephritis 18/8, 2014 at 18:55

The problem is with this kind of config, if you don't do it in .ssh/config for a specific Host, you'll get all key tried against all server each time. – Stillwell 19/8, 2014 at 5:42

This solution is not using the ssh-agent. - Is there a difference? Yeah, you can't forward they identity via agent-forwarding. – Geomorphology 6/11, 2014 at 19:8

@Stillwell How will it know which key to send to which server? For example, if I have key1<>server1 and key2<>server2, and both are set in ~/.ssh/config.. will it try both keys when connecting? If yes, isn't it a security issue? – Breland 26/7, 2016 at 11:0

As mentioned in the reply, if you use the second way which is host specific the key won't be tried on other hosts than the one specified with HostName. But with the first solution proposed the key will be tried on each host. But it's not an issue as the key is used to encrypt a random challenge message from the server, if the server is able to decrypt it with the public key previously uploaded, then it will let you log in. So that an attacker could make a plain-text attack on your key, you should log-in alot to other servers so that they might begin inducing your key. – Stillwell 8/8, 2016 at 14:6

You can clone with @github.com if you put this in your config file: Host github.com – Credent 22/12, 2017 at 4:41

this worked on mac os sierra too – Dewberry 29/10, 2018 at 7:27

If the config file change starts "Host github.com", then you don't need the "HostName" line, and you no longer need to clone using just "github", you can use the regular clone url including "github,com". – Pineapple 30/5, 2019 at 16:44

Thanks @JonathanHartley , did it always work or is it an improvement of modern ssh versions ? – Stillwell 4/6, 2019 at 6:3

Hi. I don't know. – Pineapple 4/6, 2019 at 12:44

Test your connection with ssh -T [email protected] – Isis 25/8, 2021 at 7:44

certainly one of the best answers on the whole site! – Wesleywesleyan 9/6, 2022 at 13:48

what is the ~/.ssh/config for? – Revue 13/6, 2022 at 18:31

@CharlieParker what do you mean ? ~/.ssh/config is the user-specific SSH client config file. ~ is the home directory of the user and ssh on windows should also look in the user directory for a config as in $HOME/.ssh/config – Stillwell 13/6, 2022 at 22:7

Is it me or does this not actually answer the question? The question is how to permanently ssh-add, which would load the key in the agent, which means the key could also be forwarded. With this solution, at least on my computer, the key only works locally. Been running in circles because of this. – Oraorabel 23/6, 2022 at 9:34

@Oraorabel well this was more of a pragmatic reply, I see on the other upvoted answer that there is on macos the -K flag of ssh-add that can be used with a FIDO authenticator which can be permanent. At the time of writing the reply I think this wasn't yet possible or definitely personally didn't know about it. I think there might be a setup-involved solution now, but that is then OS specific. – Stillwell 24/2 at 11:47

182

I solved that problem on macOS 10.10 by the -K flag in the ssh-add command:

ssh-add -K ~/.ssh/your_private_key

For macOS 10.12 and later you need to additionally edit your ssh config as described here: https://github.com/jirsbek/SSH-keys-in-macOS-Sierra-keychain

2023 Update

On newer versions on macOS, you have to use the --apple-use-keychain flag instead of -K, since -K is deprecated:

ssh-add --apple-use-keychain ~/.ssh/your_private_key

Slight answered 20/1, 2015 at 8:25 Comment(12)

this is a better answer for people who want to set it permanently – Rhee 24/2, 2016 at 19:14

This doesn't work on CentOS – Selfrestraint 5/7, 2016 at 5:11

Hence this bit: "on Mac OSX (10.10)"... – Euell 11/11, 2016 at 13:22

This is good and working on Mac OSX, but doesn't work on Ubuntu (14.04 on my testing). – Powerboat 20/12, 2016 at 16:32

This didn't work for me (on OSX 10.12.4) – Pursuant 11/4, 2017 at 17:1

For me, this only works if the ssh-agent process hasn't been stopped, either manually, or from rebooting. – Way 13/5, 2018 at 0:36

According to man ssh-add on macOS High Sierra, ssh-add -K will save the passphrase into the keychain, and after rebooting, just use ssh-add -A, which does not need you to input your passphrase. – Libratory 7/6, 2018 at 8:0

OP specifically asked for help on ubuntu, which is getting buried by this post.https://mcmap.net/q/14581/-how-to-permanently-add-a-private-key-with-ssh-add-on-ubuntu-closed Would it be pedantic to ask this get moved to a mac specific thread? [do those cost extra? :*)] – Sine 24/10, 2018 at 17:4

In newer versions of MacOS >10.12 in your ~/.ssh/config file add the following AddKeysToAgent yes UseKeychain yes This works fine in Mojave – Batrachian 14/11, 2018 at 12:15

How can I refrain from doing this again after every time I restart the system? – Carpio 23/1, 2022 at 17:20

what is the equivalent command for linux or ubuntu? I get unknown option -- K (I admit I'm not sure why I even need to do this...) – Revue 13/6, 2022 at 18:4

The -K and -A flags are deprecated and have been replaced          by the --apple-use-keychain and --apple-load-keychain          flags, respectively.

– Damnable 28/10, 2022 at 21:14

132

This didn't answer the same issue for me under Mac OS X Lion. I ended up adding:

ssh-add ~/.ssh/id_rsa &>/dev/null

To my .zshrc (but .profile would be fine too), which seems to have fixed it.

Lassalle answered 6/8, 2012 at 16:22 Comment(5)

This is I think better than the solution I proposed, because ssh-add uses an authentication agent which can remember the passphrase of a protected private key, so that you don't need to type it each time you try to authenticate. Another advantage of the solution you propose is that if you have alot of key, the ssh client won't propose keys irrelevant for the server you try to connect to, indeed it will provide only the keys which are for this server, and won't lead to the server refusing the connection because of MaxAuthTries being reached, while trying all the keys listed in ssh/config. – Stillwell 23/8, 2012 at 23:4

Thanks @daminetreg. My particular problem was needing to access gitosis on a development machine without transferring my private key to it. This solution (along with adding ForwardAgent yes to my .ssh/config) solved that issue fantastically. As it turns out, it could just be ssh-add &>/dev/null as the default behavior of ssh-add appears to be to add the keys it finds in your .ssh folder. – Lassalle 24/8, 2012 at 13:43

My understanding is that there is a -K switch in Mac OS: stackoverflow.com/questions/1909651/… – Weylin 12/6, 2014 at 7:34

@TNick -K adds keys to OS X's keychain, which OS X GUIs use to authenticate to foreign servers. The poster in that Q is connecting through an SSH Tunnel, but is still just connecting to a remote server. A-[SSH Tunnel]->B The case I'm in is I am on a remote server but want authentication to be against credentials on my home system. A <-[Auth]-B-[Connect]->C So -K doesn't actually help, but is a great solution for the other Q. – Lassalle 12/6, 2014 at 16:4

what is the equivalent command for linux or ubuntu? I get unknown option -- K (I admit I'm not sure why I even need to do this...) – Revue 13/6, 2022 at 18:4

Just add the keychain, as referenced in Ubuntu Quick Tips https://help.ubuntu.com/community/QuickTips

What

Instead of constantly starting up ssh-agent and ssh-add, it is possible to use keychain to manage your ssh keys. To install keychain, you can just click here, or use Synaptic to do the job or apt-get from the command line.

Command line

Another way to install the file is to open the terminal (Application->Accessories->Terminal) and type:

sudo apt-get install keychain

Edit File

You then should add the following lines to your ${HOME}/.bashrc or /etc/bash.bashrc:

keychain id_rsa id_dsa
. ~/.keychain/`uname -n`-sh

Wowser answered 16/5, 2016 at 14:32 Comment(8)

What exactly does the second command do, out of curiosity? this just opens the permissions to the current user? – Sine 24/10, 2018 at 17:3

This . is an alias for source – Macaque 24/1, 2019 at 23:8

Is the steps enough? Why the file ~/.keychain/uname -n-sh exists ? – Ranita 5/6, 2021 at 7:16

what's id_dsa ? I've searched this page and only seen this mentioned in this answer and another but not in the original question. Is this just another key like id_rsa because 2 keys are being setup? – Let 16/12, 2021 at 15:8

When using this method, on opening a first terminal I'm asked for my passphrase. – Let 16/12, 2021 at 15:44

I am curious if keychain saves the ssh key passphrase and how does it do that. Where are these passphrases saved? – Shamikashamma 6/2, 2022 at 3:53

what is the equivalent command for linux or ubuntu? I get unknown option -- K (I admit I'm not sure why I even need to do this...) – Revue 13/6, 2022 at 18:4

In case anyone is wondering, replace id_rsa with the name of your private key file. And remove the second id_rsa. – Inattention 28/4, 2023 at 11:4

I had the same issue on Ubuntu 16.04: some keys were added permanently, for others I had to execute ssh-add on every session. I found out that the keys which were added permanently had both private and public key located in ~/.ssh and the keys which were forgotten on every session had only private keys in ~/.ssh dir. So solution is simple: you should copy both private and public key to ~/.ssh before executing ssh-add.

P.S.: As far as I understand from Gnome wiki my method works thanks to gnome-keyring tool which is part of the Gnome Desktop Environment. Therefore my method should probably work only if you use Gnome or Gnome-based DE.

Discreditable answered 10/7, 2018 at 15:29 Comment(6)

Underrated answer. This solved my problem without needing additional scripts or packages after searching for two hours. – Astronomy 16/1, 2019 at 9:38

Flarkin fabulous! Great detective work. I don't think I would have figured this out. – Melcher 20/9, 2019 at 20:10

For me this was the solution too! You do not need any other software or installations or configuration. Just put both keys in. – Hyperborean 28/12, 2020 at 15:40

Although this might work I would suggest that putting the public and private key in the same place is a very bad idea - it's like leaving the keys in the car – Wycliffite 14/12, 2021 at 17:7

This worked for me. @OliverDungey I would agree and disagree. At the end of the day unless you are storing the private key off the computer (say a flash drive) since it is in your directory another sudo user / root could access the file no matter where it is with the find command. If you are the only one on the system and have a strong password I don't see this as a risk. – Screwball 27/12, 2021 at 9:0

This worked for me on Ubuntu 20.04 and 22.04. GREAT – Churchwarden 31/10, 2022 at 17:57

I tried @Aaron's solution and it didn't quite work for me, because it would re-add my keys every time I opened a new tab in my terminal. So I modified it a bit(note that most of my keys are also password-protected so I can't just send the output to /dev/null):

added_keys=`ssh-add -l`

if [ ! $(echo $added_keys | grep -o -e my_key) ]; then
    ssh-add "$HOME/.ssh/my_key"
fi

What this does is that it checks the output of ssh-add -l(which lists all keys that have been added) for a specific key and if it doesn't find it, then it adds it with ssh-add.

Now the first time I open my terminal I'm asked for the passwords for my private keys and I'm not asked again until I reboot(or logout - I haven't checked) my computer.

Since I have a bunch of keys I store the output of ssh-add -l in a variable to improve performance(at least I guess it improves performance :) )

PS: I'm on linux and this code went to my ~/.bashrc file - if you are on Mac OS X, then I assume you should add it to .zshrc or .profile

EDIT: As pointed out by @Aaron in the comments, the .zshrc file is used from the zsh shell - so if you're not using that(if you're not sure, then most likely, you're using bash instead), this code should go to your .bashrc file.

Weekender answered 8/3, 2014 at 12:54 Comment(2)

.zshrc is for the zsh shell, which I use instead of bash. If you're using bash on Mac OS X (the default), it would be .bashrc there as well. – Lassalle 28/5, 2014 at 19:28

After ssh-add -l return code echo $? can be used to decide whether to add key or not. Im my linux machine with bash, the ssh-add -l won't output the key filename. Return code always works. – Clichy 17/11, 2015 at 3:0

In my case the solution was:

Permissions on the config file should be 600. chmod 600 config

As mentioned in the comments above by generalopinion

No need to touch the config file contents.

Independence answered 19/5, 2014 at 9:37 Comment(3)

Was not enough for me on Linux Mint 17.1. – Fieldwork 9/5, 2018 at 11:32

I don't think 600 makes sense. man ssh tells us that the ~/.ssh/config file read/write for the user, and not writable by others. – Libratory 7/6, 2018 at 7:37

600 is read and write only for the user – Hardware 16/3, 2019 at 14:38

I run Ubuntu using two id_rsa key's. (one personal one for work). ssh-add would remember one key (personal one) and forget the company one every time.

Checking out the difference between the two I saw my personal key had 400 rights while the company one had 600 rights. (had u+w). Removing the user write right from the company key (u-w or set to 400) fixed my problem. ssh-add now remembers both keys.

Arteaga answered 24/1, 2017 at 22:12 Comment(0)

On Ubuntu 14.04 (maybe earlier, maybe still) you don't even need the console:

start seahorse or launch that thing you find searching for "key"
create an SSH key there (or import one)
- no need to leave the passphrase empty
- it is offered to you to even push the public key to a server (or more)
you will end up with an ssh-agent running and this key loaded, but locked
using ssh will pickup the identity (i.e. key) through the agent
on first use during the session, the passphrase will be checked
- and you have the option to automatically unlock the key on login
- this means the login auth will be used to wrap the passphrase of the key
note: if you want to forward your identity (i.e. agent-forwarding) invoke your ssh with -A or make that the default
- otherwise you can't authenticate with that key on a machine you login to later to a third machine

Geomorphology answered 6/11, 2014 at 19:36 Comment(1)

Ubuntu 22.04 is still using seahorse. – Carisacarissa 14/6, 2022 at 8:30

Adding the following lines in "~/.bashrc" solved the issue for me. I'm using Ubuntu 14.04 desktop.

eval `gnome-keyring-daemon --start`
USERNAME="reynold"
export SSH_AUTH_SOCK="$(ls /run/user/$(id -u $USERNAME)/keyring*/ssh|head -1)"
export SSH_AGENT_PID="$(pgrep gnome-keyring)"

Shirtwaist answered 13/5, 2015 at 15:55 Comment(0)

This worked for me.

ssh-agent /bin/sh
ssh-add /path/to/your/key

Erbium answered 2/4, 2017 at 6:47 Comment(1)

This works for me at Ubuntu 22.04 . Added this to my ~/.bashrc: eval `keychain --quiet --eval --agents ssh $HOME/.ssh/sinyavskijjds.key`` – Ringed 22/3 at 11:45

For those that use Fish shell you can use the following function then call it in ~/.config/fish/config.fish or in a separate configuration file in ~/.config/fish/conf.d/loadsshkeys.fish. It will load all keys that start with id_rsa into the ssh-agent.

# Load all ssh keys that start with "id_rsa"
function loadsshkeys
  set added_keys (ssh-add -l)
   for key in (find ~/.ssh/ -not -name "*.pub" -a -iname "id_rsa*")
    if test ! (echo $added_keys | grep -o -e $key)
      ssh-add "$key"
    end
  end
end

# Call the function to run it.
loadsshkeys

If you want to have the ssh-agent auto started when you open a terminal you can use danhper/fish-ssh-agent to do this.

Difficulty answered 26/12, 2017 at 8:21 Comment(2)

Thanks, the repo link seems to be redirecting to github.com/danhper/fish-ssh-agent now. – Mouldy 13/7, 2021 at 16:15

Thanks @ElijahLynn! I edited my answer and updated the repository link. – Difficulty 21/7, 2021 at 7:41

very simple ^_^ two steps

1.yum install keychain

2.add code below to .bash_profile

/usr/bin/keychain $HOME/.ssh/id_dsa
source $HOME/.keychain/$HOSTNAME-sh

Sir answered 3/2, 2016 at 11:45 Comment(1)

Ubuntu Doesn't have yum silly ;) – Conservation 28/7, 2016 at 22:47

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

2023 Update

Recommended topics

Hot tags