How to use ssh-add to remove identities (pem files) from the agent

Asked 3/8, 2019 at 1:12 Answered 2/6, 2022 at 8:20

I can add pem files to my SSH agent very easily using ssh-add, like so:

$ ssh-add /home/jsmith/keys/mytest.pem

But I can't seem to remove them:

$ ssh-add -d /home/jsmith/keys/mytest.pem
Bad key file /home/jsmith/keys/mytest.pem: No such file or directory

The pem file still exists though... I haven't moved or changed it in any way. Why am I having so much trouble removing this pem file from my SSH agent that I just added a moment ago? What's the correct way to do this?

I want to avoid using ssh-add -D (with a capital "D") because that would delete all of the identities from my SSH agent, and I only want to delete the one I've specified.

Thulium answered 3/8, 2019 at 1:12 Comment(5)

On what system? – Diadromous 5/8, 2019 at 20:13

Linux (it's in the title of the question) – Thulium 5/8, 2019 at 20:13

Please add a linux tag. – Diadromous 5/8, 2019 at 20:16

Did you already check out this: unix.stackexchange.com/a/361531/55352 ? – Diadromous 5/8, 2019 at 20:23

I think you just linked to this same page? – Thulium 5/8, 2019 at 20:24

You have to use the public key for this. So first extract the public key and then remove it from the agent.

ssh-keygen -y -f /home/jsmith/keys/mytest.pem > /home/jsmith/keys/mytest.pub
ssh-add -d /home/jsmith/keys/mytest.pub

The man page mentions the "public" key as well: "if no public key is found at a given path, ssh-add will append .pub and retry".

Stepper answered 5/8, 2019 at 20:34 Comment(5)

Thank you, this works! Though it seems very convoluted - is there really no way to just delete the pem file from your ssh keychain without jumping through hoops like this? – Thulium 5/8, 2019 at 20:55

The technical answer is that the command sent to an ssh agent to remove a key identifies a key by its public portion. It's possible to derive the public portion of a key from the contents of a private key file, but apparently the ssh-add program doesn't contain logic to do that when deleting a key. – Weapon 5/8, 2019 at 21:8

Is this correct? The man page says -d is : ` -d Debug mode. When this option is specified ssh-agent will not fork and will writ e debug information to standard error`? – Trioecious 10/7, 2020 at 14:6

Man page for what? ssh-add? See linux.die.net/man/1/ssh-add. – Stepper 10/7, 2020 at 14:10

That's weird. Another man page say: "-d Deletes the given identities from the agent. The private key files for the identities to be deleted should be listed on the command line." Either way, the easiest way to drop the key in memory is to kill and restart the key-server. – Hathor 29/1, 2022 at 11:45

The best alternative I've found is to re-add the same file but with a life-time of 1 second:

ssh-add -t 1 myfile.pem

It is easier to remember than extracting the public key.

Unhair answered 2/6, 2022 at 8:20 Comment(0)

If you know the comment associated with the key you can simply get the public key from the agent and pipe it back in to delete it.

ssh-add -L | grep -F '[email protected]' | ssh-add -d -

Abandoned answered 9/2, 2022 at 13:18 Comment(0)

Recommended topics

Hot tags