You'll find that unlike macOS, ssh-agent doesn't automatically run at startup on OpenBSD, so you need to initialise it, which is quick and easy but somewhat abstruse.

First, don't do the seemingly obvious and simply run ssh-agent like so:

$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-MUxDCsIBiG5G/agent.38206; export SSH_AUTH_SOCK;
echo Agent pid 65950;

Despite what you might intuit from the output, ssh-agent has only printed the shell script needed to initialise the daemon—it hasn't actually set the variables. Instead, we should evaluate the output, which will set both the SSH_AUTH_SOCK and SSH_AGENT_PID variables that allow ssh-add to communicate with the authentication agent:

$ eval `ssh-agent`
Agent pid 56496

With the variable set, we can add our keys to the agent:

$ ssh-add
Enter passphrase for /home/alan/.ssh/id_ed25519:
Identity added: /home/alan/.ssh/id_ed25519 (

To ensure we don't keep any agent processes running indefinitely, and amass an army of headless ssh-agent daemons, add the following to ~/.profile:

trap 'test -n "$SSH_AUTH_SOCK" && ssh-add -D && ssh-agent -k; exit 0' 0

This will automatically remove any stored keys and terminate the agent when you logout:

$ exit
All identities removed.
echo Agent pid 56496 killed;
Connection to closed.

Alternatively, if you would like to have ssh-agent automatically initialise at startup, add the following to ~/.profile:

if [ ! -S ~/.ssh/ssh_auth_sock ]; then
  eval `ssh-agent`
  ln -sf "$SSH_AUTH_SOCK" ~/.ssh/ssh_auth_sock
export SSH_AUTH_SOCK=~/.ssh/ssh_auth_sock
ssh-add -l > /dev/null || ssh-add

At login, you will be immediately prompted for any passphrase(s) securing any keys stored in the ~/.ssh directory:

Last login: Sat Jul 27 13:45:55 2019 from
OpenBSD 6.5 (GENERIC) #0: Wed Apr 24 22:45:52 CEST 2019

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

Agent pid 53402
Enter passphrase for /home/alan/.ssh/id_ed25519:
Identity added: /home/alan/.ssh/id_ed25519 (

By linking the SSH_AUTH_SOCK variable to ~/.ssh/ssh_auth_sock, and testing for its presence before starting another ssh-agent process, we avoid having multiple instances running, which is a common problem in various implementations of this script. You can amend the previous trap set in .profile to delete the file at logout:

trap 'test -n "$SSH_AUTH_SOCK" && ssh-add -D && ssh-agent -k; rm $HOME/.ssh/ssh_auth_sock; exit 0' 0


comments powered by Disqus