In my terminal (Ghostty) when I run shell scripts that update multiple repos, I get asked my SSH key passphrase over and over. It gets annoying with 20+ repos. To get around this, I use OpenSSH's authentication agent, `ssh-agent`.
ssh-agent
holds my decrypted SSH key securely in memory for the current terminal session. (And the memory is not swapped to disk.)
Then, when an SSH client (e.g. git) needs it to authenticate, it asks my SSH agent instead of prompting me.
This is how I start an SSH agent on macOS:
%%bash eval "$(ssh-agent -s)"
Note: macOS and many Linux desktop distros auto-start one. I don't have one running in my Ghostty terminal session, though.
Let's see what ssh-agent -s
by itself actually outputs:
%%bash ssh-agent -s
Here, ssh-agent
starts the SSH agent. -s
is to get output in Bash syntax.
The $(...)
captures its output.
eval
then executes the captured output, which:
SSH_AUTH_SOCK
: The path to the Unix socket the agent uses for communicationSSH_AGENT_PID
: The process ID of the agentTo list the keys my terminal session's SSH agent has, I run:
%%bash ssh-add -l
If my SSH key isn't there, I add it:
%%bash ssh-add
ssh-add
without arguments defaults to ~/.ssh/id_rsa
, id_ecdsa
, id_ed25519
, and id_dsa
. (Of those, be sure to use Ed25519 or RSA, not deprecated DSA keys.)
ssh-agent
is secure because it:
While slightly less secure than typing passphrases each time, it's far safer than removing passphrases or storing credentials in files.
SSH agent forwarding (ssh -A
) lets you use your local keys from servers you SSH into. That comes with its own risks, of course.
To explore in the future: macOS has a built in agent that's different from ssh-agent
, with keychain integration.