Enter SSH passphrase once

Question

Before upgrade

When I was running git clone git@... (using ssh) once per computer restart a window dialog appeared containing a textbox for inserting my SSH passphrase and confirmed with OK. Then the passphrase was no longer required until the next start of my system.

After upgrading to 13.10

After upgrading to Ubuntu 13.10 that window doesn't appear anymore but a message in terminal appears:

Enter passphrase for key '/home/username/.ssh/id_rsa':

...every time when cloning a git repository this appears.

How can I fix this? I want to enter my passphrase only once.

I think you have to use the `ssh-add` command for that. Have you tried it? — devius, Oct 20 '13 at 12:24
I tried `ssh-agent bash` + `ssh-add`. That works only for few minutes. — Ionică Bizău, Oct 20 '13 at 12:27
I'm having the same problem after all. I think it may be a conflict between OpenSSH's ssh-agent and the Gnome Keyring Daemon. — devius, Nov 08 '13 at 11:51
@devius See if my answer helps you: http://askubuntu.com/a/362287/148451 — Ionică Bizău, Nov 08 '13 at 11:56
Related bug: https://bugs.launchpad.net/ubuntu/+source/libpam-ssh/+bug/1247169 — devius, Nov 11 '13 at 12:10

score 170 · Accepted Answer · edited Mar 15 '16 at 03:56

170

Update: seems to be a bug from 13.10:

https://bugs.launchpad.net/ubuntu/+source/libpam-ssh/+bug/1247169

Anyway running the following commands the problem was fixed for me:

How to fix

I fixed this by entering the following commands:

$ ssh-agent bash

This creates a new bash process that allows you to add private keys. When adding a new private key you will be prompted for the passphrase once and only once.

And then:

$ ssh-add /home/username/.ssh/id_rsa
Enter passphrase for /home/username/.ssh/id_rsa: 
Identity added: /home/username/.ssh/id_rsa (/home/username/.ssh/id_rsa)

...where username is your username. You can do the same using $USER variable:

$ ssh-add /home/$USER/.ssh/id_rsa

Alternatively, just use ~ for your home directory.

$ ssh-add ~/.ssh/id_rsa

And the problem was fixed.

edited Mar 15 '16 at 03:56

miguel.martin

103
4

answered Oct 20 '13 at 06:41

Ionică Bizău

9,373
22
82
126

74

This doesn't solve the problem at all. It only adds the identity to the agent until you exit out of the terminal. If you open a new terminal you have to `ssh-add` again. – devius Nov 11 '13 at 12:15
@devius Yes, seems to be a bug. But, the commands above fixed my problem... – Ionică Bizău Nov 11 '13 at 13:57
4

So to clarify: With this "fix" you will only not have to type in the passphrase in that terminal again. The moment you open a new terminal - you will have to give the passphrase again. – harijay Feb 06 '14 at 15:33
9

I tried `$ ssh-add /home/username/.ssh/id_rsa` (without `ssh-agent bash`) and it worked for me even after reopening the terminal. But the complete solution for me was this one http://stackoverflow.com/a/4246809/532252. Everything is ok even after rebooting the machine. – kishie Feb 19 '14 at 07:49
1

I just typed ssh-add in the terminal. No need to switch to ssh-agent bash or specify an id_rsa file – henry74 Apr 10 '14 at 19:27
In fact you just need to run `ssh-agent` or an alternative *for the session*, not for one shell. – Pavel Šimerda Nov 30 '14 at 15:08
`$ eval $(ssh-agent)` then `$ ssh-add /path/to/key` – David Farrell Apr 24 '15 at 21:06
1

For me it doesn't fix the problem, because if I close the terminal and reopen it, then it still asks for a passphrase. – Kalitine Jun 02 '20 at 12:13

score 98 · Answer 2 · edited Jul 21 '22 at 08:26

98

Short answer

Use AddKeysToAgent and add the following to your .ssh/config at the beginning:

AddKeysToAgent yes

and run git/ssh/... If it's not enough, check your ssh version and check that ssh-agent is loaded with these instructions:

1) Check the openssh version

Firstly check that your ssh version, it must be greater of equal to 7.2:

ssh -V

2) Edit the config file

If it's the case just add in your .ssh/config one line at the beginning:

AddKeysToAgent yes

Other options are no (the default), yes, confirm (optionally followed by a time interval), ask or a time interval.

3) Check if ssh-agent is already open

Usually distributions automatically load an ssh-agent. To check it, run

ps aux | grep -v grep | grep ssh-agent

If you don't see any line containing it, you need to load it by running:

eval $(ssh-agent)

Note that this enable the agent only on the current terminal, so to enable it everywhere, you can try to add this line in your ~/.profile file and reboot.

edited Jul 21 '22 at 08:26

Vahid

173
1
8

answered Nov 25 '16 at 18:32

tobiasBora

2,328
15
13

21

`AddKeysToAgent yes` is the canonical post-2016 answer – and *exactly* what most modern users are grepping about for. It's mid-2017. Ubuntu >= 16.04 (*Xenial Xerus*) is now a reasonable assumption. Most OpenSSH installations in the wild now support this option. Ad-hoc shell script kludges of the sort advocated by every other answer to this question are so... *passé*. `` – Cecil Curry Aug 16 '17 at 04:16
2

This should be the accepted answer – simernes May 06 '19 at 11:58
2

So this doesn't work for me, in 18.04. To be clear this works once _per session_, but it doesn't make it persist over restarts. – SCdF Nov 07 '19 at 14:28
@SCdF you probably need to add `eval $(ssh-agent)` to your `.bashrc` using something like https://unix.stackexchange.com/a/217223/355088 – CervEd Apr 20 '21 at 10:50

Arda · Answer 3 · 2020-11-23T19:25:26.013

45

This Atlassian document (archive.org backup) fixed the issue for me on Ubuntu 14.04 Server Edition:

Just add this values into your .bashrc file:

SSH_ENV=$HOME/.ssh/environment
   
# start the ssh-agent
function start_agent {
    echo "Initializing new SSH agent..."
    # spawn ssh-agent
    /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
    echo succeeded
    chmod 600 "${SSH_ENV}"
    . "${SSH_ENV}" > /dev/null
    /usr/bin/ssh-add
}
   
if [ -f "${SSH_ENV}" ]; then
     . "${SSH_ENV}" > /dev/null
     ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
        start_agent;
    }
else
    start_agent;
fi

And after logging in, it asks for password only once and it caches. You don't need to enter it each time.

edited Nov 23 '20 at 19:25

answered Jun 10 '15 at 09:07

Arda

1,320
11
15

// , I'll have to try this out, but it looks good. – Nathan Basanese Aug 28 '15 at 17:03
2

This seems to work on other distros, like I just successfully used this answer on Sabayon Linux. – Josh Pinto Nov 20 '15 at 05:08
2

Thanks! This solution worked for me on an ubuntu system where the gnome-keyring-daemon didn't work because of dbus-daemon issues. Specifically, I was getting these errors "** Message: couldn't connect to dbus session bus: Unable to autolaunch a dbus-daemon without a $DISPLAY for X11" and after setting the display environment variable I got "** Message: couldn't connect to dbus session bus: //bin/dbus-launch terminated abnormally with the following error: Autolaunch error: X11 initialization failed." – user207863 Feb 26 '16 at 17:05
1

This needs more upvotes, fixes the problem on virtualized Ubuntu 16.04 fine. – Niels Keurentjes Jul 31 '16 at 21:35
3

This fixes the problem for me on Bash for Windows as well. I tried launching Bash multiple times and it remembered the passphrase. Haven't tried a restart yet. – Amr Nov 27 '16 at 04:53
2

after trying all the other solutions, this worked for me. This should be the solution to the OP – João Pimentel Ferreira Aug 14 '17 at 19:23
this should be what KDE does by default. – don bright Jul 22 '18 at 03:06
1

Confirmed working on 18.04 machine ! Neat answer +1 – Liso Nov 04 '19 at 05:28

score 21 · Answer 4 · edited Dec 28 '16 at 14:19

21

A workaround for this bug is to add the following to the bottom of ~/.bashrc

eval `gnome-keyring-daemon --start`

edited Dec 28 '16 at 14:19

Anwar

75,875
31
191
309

answered Feb 28 '14 at 20:52

Alex Collins

311
2
2

2

Shouldn't gnome keyring just be part of your session? – Pavel Šimerda Nov 30 '14 at 15:09
1

If you are talking about 'should', then This question shouldn't be here on first place, if everything is that perfect – Anwar May 08 '16 at 17:35
1

Not sure if this belongs to `.bashrc`. Looks like you have to add it into some DE profile file – Dmitry Ginzburg Nov 07 '16 at 07:48

Greg Witczak · Answer 5 · 2021-04-10T11:49:45.770

I've spend far too long to get it running on WSL2 Ubuntu 20.04. Finally, we need to start ssh-agent on spawning new console, but don't load a key then. Load key upon first usage and use AddKeysToAgent.

Add following at the end of your ~/.bashrc or ~/.zshrc:

SSH_ENV="$HOME/.ssh/agent-environment"

function start_agent {
    /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
    chmod 600 "${SSH_ENV}"
    . "${SSH_ENV}" > /dev/null
}

if [ -f "${SSH_ENV}" ]; then
    . "${SSH_ENV}" > /dev/null
    #ps ${SSH_AGENT_PID} doesn't work under cywgin
    ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
        start_agent;
    }
else
    start_agent;
fi

Note that /usr/bin/ssh-add; is deliberately missing here, comparing to original script.

And add following at the end of ~/.ssh/config file:

Host *
   AddKeysToAgent yes

While this doesn't ask me for a passphrase on startup, it still askes me the first time using a git pull/push. — Michael Cook, Apr 06 '21 at 01:46
@MichaelCook this is desired behavior, as question author says "I want to enter my passphrase only once." — Greg Witczak, Apr 10 '21 at 11:49

score 4 · Answer 6 · edited Dec 05 '17 at 00:52

Users of the fish shell can use this script to do the same thing.

# content has to be in .config/fish/config.fish
# if it does not exist, create the file
setenv SSH_ENV $HOME/.ssh/environment

function start_agent                                                                                                                                                                    
    echo "Initializing new SSH agent ..."
    ssh-agent -c | sed 's/^echo/#echo/' > $SSH_ENV
    echo "succeeded"
    chmod 600 $SSH_ENV 
    . $SSH_ENV > /dev/null
    ssh-add
end

function test_identities                                                                                                                                                                
    ssh-add -l | grep "The agent has no identities" > /dev/null
    if [ $status -eq 0 ]
        ssh-add
        if [ $status -eq 2 ]
            start_agent
        end
    end
end

if [ -n "$SSH_AGENT_PID" ] 
    ps -ef | grep $SSH_AGENT_PID | grep ssh-agent > /dev/null
    if [ $status -eq 0 ]
        test_identities
    end  
else
    if [ -f $SSH_ENV ]
        . $SSH_ENV > /dev/null
    end  
    ps -ef | grep $SSH_AGENT_PID | grep -v grep | grep ssh-agent > /dev/null
    if [ $status -eq 0 ]
        test_identities
    else 
        start_agent
    end  
end

There is also https://github.com/danhper/fish-ssh-agent that users can install with `fisher`, instructions at link. — Elijah Lynn, Feb 09 '22 at 22:01

score 0 · Answer 7 · answered Sep 13 '19 at 08:46

On Ubuntu 18.04, the ssh-agent is started when the session X is opened, it is managed in the file /etc/X11/Xsession.options:

# cat /etc/X11/Xsession.options
# $Id: Xsession.options 189 2005-06-11 00:04:27Z branden $
#
# configuration options for /etc/X11/Xsession
# See Xsession.options(5) for an explanation of the available options.
allow-failsafe
allow-user-resources
allow-user-xsession
use-ssh-agent
use-session-dbus

score 0 · Answer 8 · answered Nov 23 '20 at 20:48

Alternate solution is use keychain.
Man page.

Keychain helps you to manage SSH and GPG keys in a convenient and secure manner. It acts as a frontend to ssh-agent and ssh-add, but allows you to easily have one long running ssh-agent process per system, rather than the norm of one ssh-agent per login session.

This dramatically reduces the number of times you need to enter your passphrase.

score 0 · Answer 9 · answered Dec 25 '21 at 12:27

If you are using ubuntu 18.04 or later, gnome keyring will launch ssh-agent and set the SSH_AUTH_SOCK environment variable. You can always verify after reboot using the command pgrep -af ssh-agent to see if ssh-agent is running and if its launched by gnome keyring you should see the output like 214325 /usr/bin/ssh-agent -D -a /run/user/1000/keyring/.ssh

If NOT you can add the following to .bashrc before adding the keychain commands.

eval `/usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh,gpg`
export SSH_AUTH_SOCK
export GPG_AGENT_INFO

To take advantage of storing the secrets in the gnome keyring, all we need is to install Seahorse aka Passwords and Keys from the Ubuntu software store using which we can add SSH keys and its passphrases using GUI.

Add the below section to SSH config file at $HOME/.ssh/config if not already present.

Host *  
    AddKeysToAgent yes

After adding the keys and its passphrases to the seahorse, install keychain and then add the following line to .bashrc.

key_files=('~/.ssh/id_rsa1' '~/.ssh/id_rsa2')
# This will inherit the ssh-agent started by the gnome keyring and hence
# we don't need to enter passphrases after every reboot.
/usr/bin/keychain --agents ssh --inherit any --eval ${key_files[*]}
source "$HOME/.keychain/$HOSTNAME-sh"

score 0 · Answer 10 · edited Oct 07 '15 at 09:13

0

I use this:

vim ~/.profile

eval `/usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh,gpg`
export SSH_AUTH_SOCK
export GPG_AGENT_INFO

edited Oct 07 '15 at 09:13

karel

110,292
102
269
299

answered Oct 07 '15 at 09:00

Carlos Silva

1

score 0 · Answer 11 · edited May 25 '16 at 09:01

0

If you use azure .ppk file

Just convert it to pem and add permission 400 with simple steps:

sudo apt-get install putty
puttygen <path_to_key>/keyname.ppk -O private-openssh -o <path>/aws_key.pem
sudo chmod 400 <path>/aws_key.pem
ssh -vi aws_key.pem ubuntu@<ip_address>

edited May 25 '16 at 09:01

Mostafa Ahangarha

4,358
7
35
51

answered May 25 '16 at 06:49

GrvTyagi

113
6