This works great on my Debian Bullseye / i3wm system. I don't see why this wouldn't work on other distros / DEs but YMMV.
/etc/systemd/user/[email protected]
:sudo mkdir -p /etc/systemd/user/
cat << EOF | sudo tee /etc/systemd/user/[email protected] [Unit] Description=SSH authentication agent for %I Before=default.target [Service] Type=simple Environment=SSH_AUTH_SOCK=%t/%i-agent.socket ExecStart=/usr/bin/ssh-agent -D -a %t/%i-agent.socket SuccessExitStatus=2 [Install] WantedBy=default.target # vim: ft=dosini ts=2 sts=2 sw=2 sr et EOF
~/.config/systemd/user/[email protected]
: mkdir -p ~/.config/systemd/user/
cat << EOF > ~/.config/systemd/user/[email protected] [Unit] Description=SSH authentication agent for %I Before=default.target [Service] Type=simple Environment=SSH_AUTH_SOCK=%t/%i-agent.socket ExecStart=/usr/bin/ssh-agent -D -a %t/%i-agent.socket SuccessExitStatus=2 [Install] WantedBy=default.target # vim: ft=dosini ts=2 sts=2 sw=2 sr et EOF
systemctl --user enable --now ssh-agent@<name>.service
systemctl --user status ssh-agent@<name>.service
systemctl --user stop ssh-agent@<name>.service
foo
and another bar
:systemctl --user enable --now ssh-agent@foo.service systemctl --user enable --now ssh-agent@bar.service
"$XDG_RUNTIME_DIR/foo-agent.socket" "$XDG_RUNTIME_DIR/bar-agent.socket"
~/.profile
, ~/.bash_profile
, etc):socketpath="$XDG_RUNTIME_DIR/<name>-agent.socket" if [ -S "$socketpath" ]; then export SSH_AUTH_SOCK="$socketpath" fi
~/.ssh/config
:Host myhost ... AddKeysToAgent yes IdentityAgent "/run/user/%i/<name>-agent.socket" IdentitiesOnly yes
~/.ssh/config
:Host myhost ... AddKeysToAgent yes ForwardAgent "/run/user/%i/<name>-agent.socket" IdentityAgent "/run/user/%i/<name>-agent.socket" IdentitiesOnly yes
$SSH_AUTH_SOCK
is set to by default.ssh-add ~/.ssh/ed_25519
ssh-add -L
ssh-add -D
SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/<name>-agent.socket" ssh-add ~/.ssh/work
SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/<name>-agent.socket" ssh-add -L
SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/<name>-agent.socket" ssh-add -D
Configuring IdentityAgent and AddKeysToAgent in ~/.ssh/config
will automatically add the key to the correct agent when you use it.
/etc/X11/Xsession.options
to stop it from starting:sudo sed -i 's/^use-ssh-agent$/# use-ssh-agent/g' /etc/X11/Xsession.options
ssh-add -L
will only list keys in $SSH_AUTH_SOCK
.SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/<name>-agent.socket" ssh-add -L
# DISPLAY required for ssh-askpass to work Environment=DISPLAY=:0
2
:SuccessExitStatus=2
-
to suppress this behavior:ExecStart=-/usr/bin/ssh-agent -D -a %t/%i-agent.socket
loginctl enable-linger <user>
After following the steps above, as an example I'll create a “default” agent for my everyday ssh keys and a “work” agent for my work ssh keys.
systemctl --user enable --now ssh-agent@ssh.service
systemctl --user status ssh-agent@ssh.service
cat << EOF >> ~/.profile socketpath="$XDG_RUNTIME_DIR/ssh-agent.socket" if [ -S "$socketpath" ]; then export SSH_AUTH_SOCK="$socketpath" fi EOF
source ~/.profile
ssh-add ~/.ssh/key
ssh-add -L
systemctl --user enable --now ssh-agent@work.service
systemctl --user status ssh-agent@work.service
Host work-workmachine-1 HostName XX.XX.XX.XX ForwardAgent "/run/user/%i/work-agent.socket" ProxyJump work-jump
~/.ssh/config
:Host work-* User username IdentityFile "%d/.ssh/work" IdentityAgent "/run/user/%i/work-agent.socket"
SSH_AUTH_SOCK="XDG_RUNTIME_DIR/work-agent.socket" ssh-add ~/.ssh/work
SSH_AUTH_SOCK="XDG_RUNTIME_DIR/work-agent.socket" ssh-add -L
Configuring IdentityAgent and AddKeysToAgent in ~/.ssh/config
will add the key to the correct agent when you first use it.
ssh
directory in your $XDG_RUNTIME_DIR
to contain the agent socket files.tmpfiles.d
to create the directory at boot.mkdir -p ~/.local/share/user-tmpfiles.d
cat << EOF > ~/.local/share/user-tmpfiles.d/ssh-config.conf d %t/ssh 0700 - - - EOF
systemd-tmpfiles --user --create
systemctl --user enable --now systemd-tmpfiles-setup.service
systemctl --user enable --now systemd-tmpfiles-clean.timer
ssh
dir. For example:Environment=SSH_AUTH_SOCK=%t/ssh/ssh-agent.socket
For multi-user systems, make sure to add/configure files in /etc/skel
so the agent dependencies are set up during user creation.
That's the general idea and should get your system set up with as many ssh-agents as you would ever want to create. Enjoy!