439

How and where can I check what keys have been added with ssh-add to my ssh-agent?

Matthias Braun
  • 8,239
Patryk
  • 14,096

2 Answers2

522

Use ssh-add -l to list them by fingerprint.

$ ssh-add -l
2048 72:...:eb /home/gert/.ssh/mykey (RSA)

Or ssh-add -L to get the full key in OpenSSH format.

$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc[...]B63SQ== /home/gert/.ssh/id_rsa

The latter format is the same as you would put them in a ~/.ssh/authorized_keys file.

Community
  • 1
gertvdijk
  • 13,977
  • 5
    [rahul@srv1~]$ ssh-add -l Could not open a connection to your authentication agent. – Rahul Patil Dec 20 '12 at 11:11
  • 1
    @RahulPatil Are you running an SSH agent on that machine? Run this on the same machine as to which you've added the keys, not the remote one! – gertvdijk Dec 20 '12 at 11:18
  • 4
    You could run this command on the remote host if key agent forwarding is enabled. – phemmer Mar 30 '13 at 19:58
  • 4
    Example: ssh-agent sh -c 'ssh-add; ssh-add -l' – kenorb Mar 26 '15 at 21:15
  • @RahulPatil To run the ssh agent eval \ssh-agent -s``. http://stackoverflow.com/questions/17846529/could-not-open-a-connection-to-your-authentication-agent – Clay Jul 28 '15 at 17:08
  • 5
    I thought ssh-agent would have an option to perform this. – Shiplu Mokaddim May 06 '16 at 13:25
  • @Shiplu You're talking to the SSH agent with the use of ssh-add. Perhaps you're missing the point of that the ssh-agent instance is the background task with the key management, started at desktop session login time. Please refer to the manpage of ssh-agent for more thorough explanation. – gertvdijk May 06 '16 at 13:28
  • 8
    @gertvdijk I was in fact talking about naming. From the name ssh-add it sounds like this command should only add keys to agent. And then ssh-agent should know what keys its holding. My perspective was different. – Shiplu Mokaddim May 06 '16 at 13:43
  • @kenorb I would post the command as an answer because the one liner is nice . – Timo Dec 24 '21 at 10:19
21

Surprisingly the MacOS version of ssh-add at some point stopped showing the filename's as with the Linux variant. I wrote this script which does the same for fingerprints that have a corresponding file in ~/.ssh/.

I call the function ssh-add_wf, wf = with file. The details on the function are below:

$ type ssh-add_wf
ssh-add_wf is a function
ssh-add_wf ()
{
    while read -r line; do
        for file in ~/.ssh/*.pub;
        do
            printf "%s %s\n" "$(ssh-keygen -lf "$file" | awk '{$1=""}1')" "$file";
        done | column -t | grep --color=auto "$line" || echo "$line";
    done < <(ssh-add -l | awk '{print $2}')
}

Example

$  ssh-add_wf
 SHA256:mwvSCr2CXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  myuser@mydom.lan  (RSA)  /Users/myuser/.ssh/ssh_myuser@mydom.lan_id_rsa.pub
 SHA256:qInIrnKcXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  myuser@mydom.com  (RSA)  /Users/myuser/.ssh/github_myuser@mydom.com_id_rsa.pub
 SHA256:tX+AAJA0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 SHA256:EyNkhTLQXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  myuser@mydom.com  (RSA)  /Users/myuser/.ssh/ssh_myuser@mydom.com_id_rsa.pub
 SHA256:KKKVwtvFXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 SHA256:tr0hZP52XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Above, any keys within ssh-add's output that match to a file in ~/.ssh/ directory will include the file's name in the output in the 4th column. Any keys that do not will have that column empty. In this output we have 3 keys which have files that match.

Mechanics of function

The script uses 2 loops. The outside loop is a while which takes the output of ssh-add. This output is all the fingerprints of SSH keys loaded into ssh-agent.

The interior loop is a for loop which goes thru the contents of all the files matching this pattern, ~/.ssh/*.pub. For each file we interrogate it with ssh-keygen -lf <file> and then drop the first column of this output:

...before...

4096 SHA256:mwvSCr2CXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX myuser@mydom.lan

...after...

SHA256:mwvSCr2CXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX myuser@mydom.lan

This string is then printed along with the name of the file:

printf "%s %s\n" "$(ssh-keygen -lf "$file" | awk '{$1=""}1')" "$file"

At the end of the execution of this loop is the following:

| column -t | grep "$line" || echo "$line"

This formats the output so that it's column formatted (column -t).

At this point we look at this output for the fingerprint from ssh-add via the grep "$line". If a match is found we print our printf output, otherwise we fall back to just printing the original fingerprint from ssh-add, $line.

References

slm
  • 369,824
  • 4
    What happened is that OpenSSH adopted a new private key storage format that has support for comments inside the private key, which of course can't be changed if you don't have the passphrase. If the private key is stored in this new file format (which you can recognize by the BEGIN OPENSSH PRIVATE KEY at the top of the file) , then ssh-add -l displays it; if not, it instead displays the name of the file from which the key was loaded. – Mark Reed Dec 09 '20 at 20:31