starting ssh-agent on openbsd


ssh-agent natively runs at startup on OpenBSD when using xenodm, otherwise it needs to be manually initialised. This is quick and easy but somewhat abstruse.

Do not do the seemingly obvious and simply run ssh-agent like so:

$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-MUxDCsIBiG5G/agent.38206; export SSH_AUTH_SOCK;
echo Agent pid 65950;

Despite what the output implies, ssh-agent has only printed the shell script needed to initialise the daemon–it has not actually set the variables. Instead, the output should be evaluated, which will set both the SSH_AUTH_SOCK and SSH_AGENT_PID variables that allow ssh-add to communicate with the authentication agent:

$ eval `ssh-agent`
Agent pid 56496

With the variable set, keys can be added to the agent:

$ ssh-add
Enter passphrase for /home/alan/.ssh/id_ed25519:
Identity added: /home/alan/.ssh/id_ed25519 (

To ensure agent processes are not kept running indefinitely, add the following to $HOME/.profile:

trap 'test -n "$SSH_AUTH_SOCK" && ssh-add -D && ssh-agent -k; exit 0' 0

This will remove any keys and terminate the agent at logout:

$ exit
All identities removed.
echo Agent pid 56496 killed;
Connection to closed.

Alternatively, to automatically initialise ssh-agent at startup, add the following to $HOME/.profile (h/t John Karabaic):

export SSH_AUTH_SOCK="${HOME}/.ssh/ssh_auth_sock"

	if [ "${SSH_AGENT_PID}" -gt 0 ] && [ -S "${SSH_AUTH_SOCK}" ]; then
		ssh-add -D
		ssh-agent -k
		rm -rf "${SSH_AUTH_SOCK}"

if [ ! -S "${SSH_AUTH_SOCK}" ]; then
	eval $(ssh-agent -a "${SSH_AUTH_SOCK}")

ssh-add -l > /dev/null || ssh-add
trap sshkill EXIT

At login, ssh-agent will prompt for any passphrase(s) securing keys stored in $HOME/.ssh:

Last login: Sat Jul 27 13:45:55 2019 from
OpenBSD 6.5 (GENERIC) #0: Wed Apr 24 22:45:52 CEST 2019

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

Agent pid 53402
Enter passphrase for /home/alan/.ssh/id_ed25519:
Identity added: /home/alan/.ssh/id_ed25519 (

Exporting SSH_AUTH_SOCK as $HOME/.ssh/ssh_auth_sock and testing for its presence before starting another ssh-agent process, avoids having multiple instances running. This is a common problem in various implementations of this script. Like the first trap, the sshkill() function will kill the agent and remove stored keys, but will also delete the socket file at logout.

Tags: openbsd
send comments to mark AT jamsek DOT net

Generated by emacs org mode

Copyright © 2023 Mark Jamsek