Loading SSH Key Into Memory
By Sudheer S
So, you have an SSH key pair. The public key has been added on to the server. On the client, ie your laptop/desktop you have your private key. For some reason, your private key has not been loaded into memory.
All you have to do is start the ssh-agent
and then load the key into memory via ssh-add
.
Step 1: Start the agent
eval $(ssh-agent)
Step 2: load the key into memory
ssh-add /path/to/your/private/key
The Underlying Software And Processes Explained
ssh-agent
is a program that acts as a mediator between the client and the server. When the client initiates an
SSH connection, the server requests the client to authenticate itself. The client sends a signed message using its
private key to the server. The server then verifies the signature using the corresponding public key, which is
stored in a file called authorized_keys
on the server. If the verification is successful, the server grants
access to the client.
However, in this use case, the client’s private key is not currently loaded into memory. To load the private key into
memory, ssh-agent
is used. ssh-agent
creates a secure, persistent connection between the client and the server,
and the private key is added to the agent using ssh-add
. Once the key is added to the agent, the client can
initiate SSH connections without needing to enter a passphrase for the private key each time.
In more detail, when ssh-agent
is started, it creates a Unix socket and sets some environment variables that
instruct the user’s shell how to connect to the socket. When ssh-add
is called with the path to the private key as
an argument, it prompts the user to enter the passphrase for the private key, if one was set during key generation.
It then decrypts the private key and adds it to the ssh-agent
. The ssh-agent
keeps the decrypted key in memory
and can provide it to the SSH client when needed.
In summary, ssh-agent
provides a secure and convenient way to manage private keys for SSH authentication by
storing them in memory and ssh-add
is used to add the private key to the ssh-agent. This eliminates the need for
the user to enter a passphrase for the private key each time they initiate an SSH connection.
Is There A Better Alternative?
Yes. Use a key manager. On Ubuntu 22.04 gnome-keyring
is the default key manager. To make use of it, just place
the key in your ~/.ssh
directory. To take advantage of automatic importing of keys into the key manager,
place your-key
and your-key.pub
files in ~/.ssh
. When you logon to your computer, the key manager will load
your key into memory. You can also add keys manually with the GUI tool seahorse
. Launch Seahorse and import your
OpenSSH key as a one time activity. You should be all set.
Curiosity Question: What’s The Deal With eval
?
The reason why you need to use eval
in the command eval $(ssh-agent)
is that the ssh-agent
command outputs
some shell commands that need to be executed to set up the SSH agent environment variables.
When you run the ssh-agent
command, it starts a new instance of the SSH agent and outputs the environment
variables that need to be set in the current shell session to use the agent. These variables include SSH_AUTH_SOCK
and SSH_AGENT_PID
, which are required by the SSH client to communicate with the SSH agent and use the keys stored in
it.
The eval
command is used to execute the output of the ssh-agent
command as shell commands in the current shell
session. The $(command)
syntax is used to capture the output of the ssh-agent
command and pass it as an argument
to eval
, which evaluates the output as shell commands and sets the required environment variables.
So, using eval $(ssh-agent)
is a convenient way to set up the SSH agent environment variables in the current shell
session without having to manually copy and paste the output of the ssh-agent command. It allows you to start using the
SSH agent immediately, without having to set up the environment variables manually.
If you want to setup the agent manually without eval
, do this:
a=$(ssh-agent)
echo "$a"
On my computer, the output is like this:
SSH_AUTH_SOCK=/tmp/ssh-XXXXXX281aZd/agent.13423; export SSH_AUTH_SOCK; SSH_AGENT_PID=13424; export SSH_AGENT_PID; echo Agent pid 13424;
You will see a bunch of commands separated by semicolon. Copy and paste the output of $(ssh-agent)
on the terminal,
and you are all set!