- Generating a new SSH key and adding it to the ssh-agent
- About SSH key passphrases
- Generating a new SSH key
- Adding your SSH key to the ssh-agent
- Generating a new SSH key for a hardware security key
- Help and support
- Help us make these docs great!
- ssh-agent: How to configure ssh-agent, agent forwarding, & agent protocol
- Contents
- Starting ssh-agent
- Adding SSH keys to the Agent
- SSH Agent Forwarding
- Running ssh-agent
- Further Reading
Generating a new SSH key and adding it to the ssh-agent
After you’ve checked for existing SSH keys, you can generate a new SSH key to use for authentication, then add it to the ssh-agent.
About SSH key passphrases
You can access and write data in repositories on GitHub.com using SSH (Secure Shell Protocol). When you connect via SSH, you authenticate using a private key file on your local machine. For more information, see «About SSH.»
When you generate an SSH key, you can add a passphrase to further secure the key. Whenever you use the key, you must enter the passphrase. If your key has a passphrase and you don’t want to enter the passphrase every time you use the key, you can add your key to the SSH agent. The SSH agent manages your SSH keys and remembers your passphrase.
If you don’t already have an SSH key, you must generate a new SSH key to use for authentication. If you’re unsure whether you already have an SSH key, you can check for existing keys. For more information, see «Checking for existing SSH keys.»
If you want to use a hardware security key to authenticate to GitHub, you must generate a new SSH key for your hardware security key. You must connect your hardware security key to your computer when you authenticate with the key pair. For more information, see the OpenSSH 8.2 release notes.
Generating a new SSH key
You can generate a new SSH key on your local machine. After you generate the key, you can add the public key to your account on GitHub.com to enable authentication for Git operations over SSH.
Note: GitHub improved security by dropping older, insecure key types on March 15, 2022.
As of that date, DSA keys ( ssh-dss ) are no longer supported. You cannot add new DSA keys to your personal account on GitHub.com.
RSA keys ( ssh-rsa ) with a valid_after before November 2, 2021 may continue to use any signature algorithm. RSA keys generated after that date must use a SHA-2 signature algorithm. Some older clients may need to be upgraded in order to use SHA-2 signatures.
- Open Terminal Terminal Git Bash .
- Paste the text below, substituting in your GitHub email address.
ssh-keygen -t ed25519 -C "your_email@example.com"
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
> Generating public/private ALGORITHM key pair.
When you’re prompted to «Enter a file in which to save the key», you can press Enter to accept the default file location. Please note that if you created SSH keys previously, ssh-keygen may ask you to rewrite another key, in which case we recommend creating a custom-named SSH key. To do so, type the default file location and replace id_ssh_keyname with your custom key name.
> Enter a file in which to save the key (/Users/YOU/.ssh/id_ALGORITHM): [Press enter]
> Enter a file in which to save the key (/c/Users/YOU/.ssh/id_ALGORITHM):[Press enter]
> Enter a file in which to save the key (/home/YOU/.ssh/ALGORITHM):[Press enter]
> Enter passphrase (empty for no passphrase): [Type a passphrase] > Enter same passphrase again: [Type passphrase again]
Adding your SSH key to the ssh-agent
Before adding a new SSH key to the ssh-agent to manage your keys, you should have checked for existing SSH keys and generated a new SSH key. When adding your SSH key to the agent, use the default macOS ssh-add command, and not an application installed by macports, homebrew, or some other external source.
$ eval "$(ssh-agent -s)" > Agent pid 59566
$ open ~/.ssh/config > The file /Users/YOU/.ssh/config does not exist.
Host github.com AddKeysToAgent yes UseKeychain yes IdentityFile ~/.ssh/id_ed25519
- If you chose not to add a passphrase to your key, you should omit the UseKeychain line.
- If you see a Bad configuration option: usekeychain error, add an additional line to the configuration’s’ Host *.github.com section.
Host github.com IgnoreUnknown UseKeychain
ssh-add --apple-use-keychain ~/.ssh/id_ed25519
Note: The —apple-use-keychain option stores the passphrase in your keychain for you when you add an SSH key to the ssh-agent. If you chose not to add a passphrase to your key, run the command without the —apple-use-keychain option. The —apple-use-keychain option is in Apple’s standard version of ssh-add . In MacOS versions prior to Monterey (12.0), the —apple-use-keychain and —apple-load-keychain flags used the syntax -K and -A , respectively. If you don’t have Apple’s standard version of ssh-add installed, you may receive an error. For more information, see «Error: ssh-add: illegal option — K.» If you continue to be prompted for your passphrase, you may need to add the command to your ~/.zshrc file (or your ~/.bashrc file for bash).
If you have GitHub Desktop installed, you can use it to clone repositories and not deal with SSH keys.
- Ensure the ssh-agent is running. You can use the «Auto-launching the ssh-agent» instructions in «Working with SSH key passphrases», or start it manually:
# start the ssh-agent in the background $ eval "$(ssh-agent -s)" > Agent pid 59566
$ eval "$(ssh-agent -s)" > Agent pid 59566
Generating a new SSH key for a hardware security key
If you are using macOS or Linux, you may need to update your SSH client or install a new SSH client prior to generating a new SSH key. For more information, see «Error: Unknown key type.»
- Insert your hardware security key into your computer.
- Open Terminal Terminal Git Bash .
- Paste the text below, substituting in the email address for your account on GitHub.
ssh-keygen -t ed25519-sk -C "YOUR_EMAIL"
Note: If the command fails and you receive the error invalid format or feature not supported, you may be using a hardware security key that does not support the Ed25519 algorithm. Enter the following command instead.
ssh-keygen -t ecdsa-sk -C "your_email@example.com"
> Enter a file in which to save the key (/Users/YOU/.ssh/id_ed25519_sk): [Press enter]
> Enter a file in which to save the key (/c/Users/YOU/.ssh/id_ed25519_sk):[Press enter]
> Enter a file in which to save the key (/home/YOU/.ssh/id_ed25519_sk):[Press enter]
> Enter passphrase (empty for no passphrase): [Type a passphrase] > Enter same passphrase again: [Type passphrase again]
Help and support
Help us make these docs great!
All GitHub docs are open source. See something that’s wrong or unclear? Submit a pull request.
ssh-agent: How to configure ssh-agent, agent forwarding, & agent protocol
The ssh-agent is a helper program that keeps track of users’ identity keys and their passphrases . The agent can then use the keys to log into other servers without having the user type in a password or passphrase again. This implements a form of single sign-on (SSO).
The SSH agent is used for SSH public key authentication . It uses SSH keys for authentication. Users can create SSH keys using the ssh-keygen command and install them on servers using the ssh-copy-id command.
Contents
Starting ssh-agent
On most Linux systems, ssh-agent is automatically configured and run at login, and no additional actions are required to use it. However, an SSH key must still be created for the user.
If ssh-agent is not automatically started at login, it can be started manually with the command
The ssh-agent command outputs commands to set certain environment variables in the shell. The commands output by default are compatible with /bin/sh and /bin/bash . To output commands for the C-shell ( /bin/csh or /bin/tcsh ), add -c .
The easiest way to check is to check the value of the SSH_AGENT_SOCK environment variable. If it is set, then the agent is presumably running. It can be checked by
Also, to allow key-based logins to servers, public key authentication must be enabled on the server. In OpenSSH it is enabled by default. It is controlled by the PubkeyAuthentication option in sshd_config .
Adding SSH keys to the Agent
By default, the agent uses SSH keys stored in the .ssh directory under the user’s home directory. The ssh-add command is used for adding identities to the agent. In the simplest form, just run if without argument to add the default files ~/.ssh/id_rsa , .ssh/id_dsa , ~/.ssh/id_ecdsa , ~/.ssh/id_ed25519 , and ~/.ssh/identity . Otherwise, give it the name of the private key file to add as an argument.
The following command will list private keys currently accessible to the agent:
SSH Agent Forwarding
Furthermore, the SSH protocol implements agent forwarding, a mechanism whereby an SSH client allows an SSH server to use the local ssh-agent on the server the user logs into, as if it was local there. When the user uses an SSH client on the server, the client will try to contact the agent implemented by the server, and the server then forwards the request to the client that originally contacted the server, which further forwards it to the local agent. This way, ssh-agent and agent forwarding implement single sign-on that can progress transitively.
A wonderful feature of the single sign-on provided by SSH is that it works independent of organizational boundaries and geography. You can easily implement single sign-on to servers on the other side of the world, in cloud services, or at customer premises. No central coordination is needed.
To use agent forwarding, the ForwardAgent option must be set to yes on the client (see ssh_config ) and the AllowAgentForwarding option must be set to yes on the server (see sshd_config ).
Running ssh-agent
The ssh-agent command is usually run from initialization scripts at login, such as from /etc/X11/Xsession.d/90×11-common_ssh-agent on Linux Mint LMDE. Alternatively, any user can configure it to be run from, e.g., the user’s ~/.xsession file or ~/.profile .
The agent outputs environment variable settings that this puts in place. The SSH_AUTH_SOCK environment variable is set to point to a unix-domain socket used for communicating with the agent, and the SSH_AGENT_PID environment variable is set to the process ID of the agent. To get the environment variables set in the user’s shell environment, the agent is usually run with something like the following:
The ssh-agent command accepts the following options:
-a bind_address
Forces to bind the Unix domain socket to the given file path, instead of the default socket.
Forces generation of C-shell commands on stdout. By default the shell is automatically detected.
-E fingerprint_hash Specifies which algorithm to use for generating SSH key fingerprints. Valid values include md5 and sha256 .
Kills the currently running agent.
Forces generation of Bourne shell ( /bin/sh ) commands on stdout. By default the shell is automatically detected.
Specifies a maximum number of seconds that identities are kept in the agent. The value is in seconds, but can be suffixed by m for minutes, h for hours, d for days, and w for weeks. Without this option, the agent keeps the keys in its memory as long as it runs. This can be overridden when running the ssh-add command.