20 02 | 2012

Opportunistic SSH agent

Written by Tanguy

Classified in : Homepage, Debian, Command line, Lazyweb

To use an SSH agent, one usually has to:

  1. launch the agent;
  2. add his key to it.

The first step can be automated in the desktop or shell startup script (this is a typical use case for login shell-only startup scripts, by the way), but the second one cannot if your private key is protected by a passphrase.

Opportunistic key loading

GNOME Keyring includes an SSH agent which has an interesting feature I call “opportunistic key loading”: it asks for the passphrase to decrypt the private key the first time it is needed. This feature mimics the behaviour of PGP agents, and eliminates the second step I previously mentioned.


Do you know if there exists another SSH agent able to do opportunistic key loading?


monday 20 february 2012 à 14:02 rjc said : #1

[OT] the "shell startup script" link doesn't work if you follow it from this blog entry and it only work from the main blog page as it is relative to it.

monday 20 february 2012 à 14:06 Tanguy said : #2

@rjc : Corrected, thank you.

monday 20 february 2012 à 14:21 Tanguy said : #3

I was given the answer on IRC: gpg-agent. I already knew that it could act as an SSH agent in addition to its primary role of PGP agent, but it looks like it implements that opportunistic key loading feature.

monday 20 february 2012 à 14:36 Sake said : #4

I recently discovered kwalletcli (https://www.mirbsd.org/kwalletcli.htm) which can act as ssh-askpass alternative.
For the KDE folks this is the way to go.

monday 20 february 2012 à 16:03 jf said : #5

There is pam_ssh - very useful if your ssh password is equal to the normal user password.

monday 20 february 2012 à 18:47 -dsr- said : #6

The keychain package provides a similar function for commandline logins.

monday 20 february 2012 à 19:42 Misc said : #7

IIRC, OS X also do this with launchd. But I just say that for completeness :)

monday 20 february 2012 à 23:13 Matt Palmer said : #8

The problem with opportunistic key loading, however, is that if you have more keys than MaxAuthTries, you'll get curious authentication failures, as I wrote about a couple of years ago:


Dumb software that pretends to be smart: just say no.

tuesday 21 february 2012 à 00:00 Tanguy said : #9

@Matt Palmer : Indeed, I experienced that too and it was kind of hard to understand. :-)

tuesday 21 february 2012 à 00:15 Hyde said : #10

Keychain as mentioned above is really nice for that kind of things :)

tuesday 21 february 2012 à 00:18 Marius Gedminas said : #11

I have a wrapper for the 'ssh' command that adds keys opportunistically:

$ cat ~/bin/ssh
if [ -n "$SSH_AGENT_PID" ]; then
# See if ssh-agent has any identities, and if not, add some
ssh-add -l > /dev/null || ssh-add
exec /usr/bin/ssh "$@"

and the same sort of thing for ~/bin/scp. It works very well for me.

tuesday 21 february 2012 à 02:06 Brownout said : #12

Regarding comment #3.
I don't see how gpg-agent can perform opportunistic key loading, afaik you still need to run ssh-add manually.

tuesday 21 february 2012 à 02:34 Brownout said : #13

My bad, it does.
You need to tell it to manage the key via sshcontrol, otherwise it ignores it.

Write a comment

What is the third letter of the word hkvi? :