Linux – How to clear out the ssh-agent entries (on Mac OS X )

linuxmacossshssh-agentunix

I'm running Mac OS X, and it appears that after SSHing to several machines, using identity files, my 'ssh-agent' builds up a lot of identity / keys and then sometimes offers too many to a remote machine, causing them to kick me off before connecting:

Received disconnect from 10.12.10.16: 2: Too many authentication failures for cwd

It's pretty obvious what's happening, and this page talks about it in more detail:

SSH servers only allow you to attempt
to authenticate a certain number of
times. Each failed password attempt,
each failed pubkey/identity that is
offered, etc, take up one of these
attempts. If you have a lot of SSH
keys in your agent, you may find that
an SSH server may kick you out before
allowing you to attempt password
authentication at all. If this is the
case, there are a few different
workarounds.

Rebooting clears the agent and then everything works OK again. I can also add this line to my .ssh/config file to force it to use password authentication:

PreferredAuthentications keyboard-interactive,password

Anyhow, I saw the note on the page I referenced talking about deleting keys from the agent, but I'm not sure if that applies on a Mac since they appear to be cleared after reboot anyhow.

Is there a simple way to clear out all keys in the 'ssh-agent' (the same thing that happens at reboot)?

Best Answer

Your SSH keys should not get automatically added to the agent just because you SSH'ed to a server...

Run ssh-add -l to list the agent's keys, ssh-add -D to clean out all keys.

Related Solutions

Linux – ssh-agent and screen

With the following setup, you won't need any wrapper for invoking screen. Moreover, it avoids using /tmp (with the consequent security risks).

Ensure you have an ~/tmp directory:
```
mkdir ~/tmp
```
Add to .screenrc the following line:
```
setenv SSH_AUTH_SOCK "$HOME/tmp/ssh-agent-screen"
```
- This ensures that inside screen, ssh looks for the socket always in the same location, rather than a changing path.
- You must use setenv whichever shell you use, since it's a screen and not a shell command.
Add to .bash_profile the following line:
```
[ -n "$SSH_AUTH_SOCK" ] && [ "$SSH_AUTH_SOCK"!="$HOME/tmp/ssh-agent-screen" ] && ln -sf "$SSH_AUTH_SOCK" "$HOME/tmp/ssh-agent-screen"
```
- This will link from the fixed location (where ssh looks) to the real one, and must appear after starting ssh-agent.
- Using [ -n "$SSH_AUTH_SOCK" ] will properly prevent errors when SSH_AUTH_SOCK is not set.
- [ "$SSH_AUTH_SOCK"!="$HOME/tmp/ssh-agent-screen" ] will prevent screen sessions linking $HOME/tmp/ssh-agent-screen to itself, if screen sources .bash_profile.
Instead of starting ssh-agent in .bash_profile, you can consider connecting with ssh -A (to use agent forwarding and make the remote machine use your agent).

After this setup, you can just use standard screen command. You'll only need to recreate existing sessions or manually set SSH_AUTH_SOCK inside them to the fixed location of step 2.

Credits to this website for the idea; I avoided using /tmp. This answer is similar but uses extra aliases.

Linux – How to configure SSH so it doesn’t try all the identity files automatically

You can use the IdentitiesOnly=yes option along with IdentityFile (see ssh_config man page). That way, you can specify which file(s) it should look for.

In this example, ssh will only look in the identities given in the ssh_config files + the 4 ones listed on the command line (the identities provided by the agent will be ignored):

ssh -o IdentitiesOnly=yes \
    -o IdentityFile=id1.key \
    -o IdentityFile=id2.key \
    -i id3.key \
    -i id4.key \
    user123@example.com

The forms -i and -o IdentityFile= are interchangeable.

In .ssh/config, you can include config like this:

Host example
User user123
Hostname example.com
IdentityFile ~/.ssh/id_rsa_example
IdentityFile ~/.ssh/id_rsa_example2
IdentitiesOnly yes

Best Answer

Related Solutions

Linux – ssh-agent and screen

Linux – How to configure SSH so it doesn’t try all the identity files automatically

Related Question