How to list keys added to ssh-agent with ssh-add?
Use the -l
option to ssh-add
to list them by fingerprint.
$ ssh-add -l
2048 72:...:eb /home/gert/.ssh/mykey (RSA)
Or with -L
to get the full key in OpenSSH format.
$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc[...]B63SQ== /home/gert/.ssh/id_rsa
The latter format is the same as you would put them in a ~/.ssh/authorized_keys
file.
Surprisingly the MacOS version of ssh-add
at some point stopped showing the filename's as with the Linux variant. I wrote this script which does the same for fingerprints that have a corresponding file in ~/.ssh/
.
I call the function ssh-add_wf
, wf = with file. The details on the function are below:
$ type ssh-add_wf
ssh-add_wf is a function
ssh-add_wf ()
{
while read -r line; do
for file in ~/.ssh/*.pub;
do
printf "%s %s\n" "$(ssh-keygen -lf "$file" | awk '{$1=""}1')" "$file";
done | column -t | grep --color=auto "$line" || echo "$line";
done < <(ssh-add -l | awk '{print $2}')
}
Example
$ ssh-add_wf
SHA256:mwvSCr2CXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [email protected] (RSA) /Users/myuser/.ssh/[email protected]_id_rsa.pub
SHA256:qInIrnKcXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [email protected] (RSA) /Users/myuser/.ssh/[email protected]_id_rsa.pub
SHA256:tX+AAJA0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
SHA256:EyNkhTLQXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [email protected] (RSA) /Users/myuser/.ssh/[email protected]_id_rsa.pub
SHA256:KKKVwtvFXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
SHA256:tr0hZP52XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Above, any keys within ssh-add
's output that match to a file in ~/.ssh/
directory will include the file's name in the output in the 4th column. Any keys that do not will have that column empty. In this output we have 3 keys which have files that match.
Mechanics of function
The script uses 2 loops. The outside loop is a while
which takes the output of ssh-add
. This output is all the fingerprints of SSH keys loaded into ssh-agent
.
The interior loop is a for
loop which goes thru the contents of all the files matching this pattern, ~/.ssh/*.pub
. For each file we interrogate it with ssh-keygen -lf <file>
and then drop the first column of this output:
...before...
4096 SHA256:mwvSCr2CXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [email protected]
...after...
SHA256:mwvSCr2CXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [email protected]
This string is then printed along with the name of the file:
printf "%s %s\n" "$(ssh-keygen -lf "$file" | awk '{$1=""}1')" "$file"
At the end of the execution of this loop is the following:
| column -t | grep "$line" || echo "$line"
This formats the output so that it's column formatted (column -t
).
At this point we look at this output for the fingerprint from ssh-add
via the grep "$line"
. If a match is found we print our printf
output, otherwise we fall back to just printing the original fingerprint from ssh-add
, $line
.
References
- Checking ssh public key fingerprints