• To enable agent creation for all users, create /etc/systemd/user/[email protected]:
  1. Create directory structure:

     sudo mkdir -p /etc/systemd/user/

  2. Create the service file:

     cat << EOF | sudo tee /etc/systemd/user/[email protected]
     [Unit]
     Description=SSH authentication agent for %I
     Before=default.target
      
     [Service]
     Type=simple
     Environment=SSH_AUTH_SOCK=%t/%i-agent.socket
     ExecStart=/usr/bin/ssh-agent -D -a %t/%i-agent.socket
     SuccessExitStatus=2
      
     [Install]
     WantedBy=default.target
      
     # vim: ft=dosini ts=2 sts=2 sw=2 sr et
     EOF

• To enable agent creation for only you, create ~/.config/systemd/user/[email protected]:
  1. Create directory structure:

     mkdir -p ~/.config/systemd/user/

  2. Create the service file:

     cat << EOF > ~/.config/systemd/user/[email protected]
     [Unit]
     Description=SSH authentication agent for %I
     Before=default.target
      
     [Service]
     Type=simple
     Environment=SSH_AUTH_SOCK=%t/%i-agent.socket
     ExecStart=/usr/bin/ssh-agent -D -a %t/%i-agent.socket
     SuccessExitStatus=2
      
     [Install]
     WantedBy=default.target
      
     # vim: ft=dosini ts=2 sts=2 sw=2 sr et
     EOF

• Enabling creation for all users does NOT mean that all users can access your agent, it just means that they can create their own agents!

• Start and enable the agent as your regular user (and similar for the other agent(s)):

  systemctl --user enable --now ssh-agent@<name>.service

• Check status of the ssh-agent service:

  systemctl --user status ssh-agent@<name>.service

• Stop the ssh-agent service:

  systemctl --user stop ssh-agent@<name>.service

• Whatever name you use for each service will be included in the name of the agent's socket.
• For example, if we named one foo and another bar:

  systemctl --user enable --now ssh-agent@foo.service
  systemctl --user enable --now ssh-agent@bar.service

• We would have two new socket files:

  "$XDG_RUNTIME_DIR/foo-agent.socket"
  "$XDG_RUNTIME_DIR/bar-agent.socket"

• Create an environment variable in your preferred startup file (eg ~/.profile, ~/.bash_profile, etc):

  socketpath="$XDG_RUNTIME_DIR/<name>-agent.socket"
  if [ -S "$socketpath" ]; then
    export SSH_AUTH_SOCK="$socketpath"
  fi

• Use the IdentityAgent directive and add the SSH agent socket in your ~/.ssh/config:

   Host myhost
        ...
        AddKeysToAgent yes
        IdentityAgent  "/run/user/%i/<name>-agent.socket"
        IdentitiesOnly yes

• ForwardAgent can be configured to forward the agent in ~/.ssh/config:

   Host myhost
        ...
        AddKeysToAgent yes
        ForwardAgent   "/run/user/%i/<name>-agent.socket"
        IdentityAgent  "/run/user/%i/<name>-agent.socket"
        IdentitiesOnly yes

• Leaving those unconfigured, the hosts will use whatever $SSH_AUTH_SOCK is set to by default.

• For the default ssh-agent, running only the commands will work:
  • Add keys to the agent:

    ssh-add ~/.ssh/ed_25519

  • List keys in the ssh-agent:

    ssh-add -L

  • Clear keys from the agent:

    ssh-add -D

• Prepend the command with the environment variable to access other ssh-agents:
  • Add keys to the agent:

    SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/<name>-agent.socket" ssh-add ~/.ssh/work

  • List keys in the ssh-agent:

    SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/<name>-agent.socket" ssh-add -L

  • Clear keys from the agent:

    SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/<name>-agent.socket" ssh-add -D

• Debian auto-starts a ssh-agent at login.
  • Comment or remove the line in /etc/X11/Xsession.options to stop it from starting:

    sudo sed -i 's/^use-ssh-agent$/# use-ssh-agent/g' /etc/X11/Xsession.options

• ssh-add -L will only list keys in $SSH_AUTH_SOCK.
  • Specify the ssh-agent by passing the variable:

    SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/<name>-agent.socket" ssh-add -L

• If using ssh-askpass, add the following to the service file:

  # DISPLAY required for ssh-askpass to work
  Environment=DISPLAY=:0

• ssh-agent exits with code 2 which results in 'failed' state on stop and I found 2 options to remedy this:
  • Inform systemd that a successful exit status is 2:

    SuccessExitStatus=2

  • Prefix the ExecStart with a - to suppress this behavior:

    ExecStart=-/usr/bin/ssh-agent -D -a %t/%i-agent.socket

• Currently untested: Enable linger for users who need the agents to be active while not logged in:

  loginctl enable-linger <user>

  • https://manpages.debian.org/bullseye/systemd/loginctl.1.en.html#User_Commands

After following the steps above, as an example I'll create a “default” agent for my everyday ssh keys and a “work” agent for my work ssh keys.

• Start and enable the “default” ssh-agent:

  systemctl --user enable --now ssh-agent@ssh.service

• Check status:

  systemctl --user status ssh-agent@ssh.service

• Configure environment for the “default” agent:

  cat << EOF >> ~/.profile
  socketpath="$XDG_RUNTIME_DIR/ssh-agent.socket"
  if [ -S "$socketpath" ]; then
    export SSH_AUTH_SOCK="$socketpath"
  fi
  EOF

• Source the file to load the variable:

  source ~/.profile

• Add keys to “Default” agent:

  ssh-add ~/.ssh/key

• List keys in “Default” agent:

  ssh-add -L

• Start and enable a “work” agent:

  systemctl --user enable --now ssh-agent@work.service

• Check the status:

  systemctl --user status ssh-agent@work.service

• Add entries for work machines:

  Host work-workmachine-1
      HostName        XX.XX.XX.XX
      ForwardAgent    "/run/user/%i/work-agent.socket"
      ProxyJump       work-jump

• Add wildcard entry for work machines at bottom of ~/.ssh/config:

  Host work-*
      User            username
      IdentityFile    "%d/.ssh/work"
      IdentityAgent   "/run/user/%i/work-agent.socket"

• Add keys to “Work” agent:

  SSH_AUTH_SOCK="XDG_RUNTIME_DIR/work-agent.socket" ssh-add ~/.ssh/work

• List keys in “Work” agent:

  SSH_AUTH_SOCK="XDG_RUNTIME_DIR/work-agent.socket" ssh-add -L

• You can create a ssh directory in your $XDG_RUNTIME_DIR to contain the agent socket files.
• This is a good opportunity to make use of systemd's tmpfiles.d to create the directory at boot.
• Create directory to hold the config files:

  mkdir -p ~/.local/share/user-tmpfiles.d

• Create a configuration file:

  cat << EOF > ~/.local/share/user-tmpfiles.d/ssh-config.conf
  d %t/ssh 0700 - - -
  EOF

• Create the directory:

  systemd-tmpfiles --user --create

• Enable the tmpfiles service so it creates the directory at boot:

  systemctl --user enable --now systemd-tmpfiles-setup.service

• Enable the cleanup timer:

  systemctl --user enable --now systemd-tmpfiles-clean.timer 

• Edit the paths in the files above to add the ssh dir. For example:

  Environment=SSH_AUTH_SOCK=%t/ssh/ssh-agent.socket

That's the general idea and should get your system set up with as many ssh-agents as you would ever want to create. Enjoy!

• https://manpages.debian.org/stable/openssh-client/ssh-agent.1.en.html
• https://manpages.debian.org/stable/systemd/systemd.service.5.en.html#SERVICE_TEMPLATES
• https://manpages.debian.org/stable/systemd/systemd.unit.5.en.html#SPECIFIERS
• https://manpages.debian.org/stable/openssh-client/ssh-agent.1.en.html
• https://manpages.debian.org/stable/openssh-client/ssh_config.5.en.html
• https://manpages.debian.org/stable/openssh-client/ssh-add.1.en.html
• https://manpages.debian.org/stable/systemd/tmpfiles.d.5.en.html
• https://manpages.debian.org/stable/systemd/systemd-tmpfiles.8.en.html
• https://wikitech.wikimedia.org/wiki/Managing_multiple_SSH_agents
• https://unix.stackexchange.com/a/623559