obsidian/wiki/concepts/ssh-agent-passphrase-key.md

title	aliases	tags	sources	created	updated
SSH Keys with Passphrases Require ssh-add	ssh-add passphrase no identity pubkey loaded ssh agent keychain ssh AddKeysToAgent	ssh git forgejo homelab dotfiles fish	daily/2026-04-30.md	2026-04-30	2026-04-30

SSH Keys with Passphrases Require ssh-add

An SSH key with a passphrase will not be used automatically even if it is listed in ~/.ssh/config. The key must be loaded into ssh-agent first via ssh-add. The diagnostic signal for a missing agent-loaded key is no identity pubkey loaded in verbose SSH output (ssh -vvv). The permanent fix is adding AddKeysToAgent yes and UseKeychain yes to ~/.ssh/config.

Key Points

• no identity pubkey loaded in ssh -vvv output means the key has a passphrase and has not been added to ssh-agent
• ssh-add ~/.ssh/<keyname> loads the key for the current session
• AddKeysToAgent yes in ~/.ssh/config auto-loads the key on first use (prompts for passphrase once)
• UseKeychain yes (macOS) stores the passphrase in the system Keychain so it survives reboots without re-prompting
• Forgejo SSH is on port 222, not 22 — host: git.ai-impress.com; key: ~/.ssh/Forgejo

Details

Diagnostic flow

# Test with verbose output to see what's happening
ssh -vvv -T git@git.ai-impress.com -p 222

# Key symptoms in output:
# "no identity pubkey loaded" → key has passphrase, not in agent
# "Permission denied (publickey)" → key loaded but not accepted by server

Session fix

# Load the key into the agent for the current session
ssh-add ~/.ssh/Forgejo
# Prompts for passphrase once; key is usable for the rest of the session

Permanent fix — ~/.ssh/config

Host git.ai-impress.com
    HostName git.ai-impress.com
    User git
    Port 222
    IdentityFile ~/.ssh/Forgejo
    AddKeysToAgent yes
    UseKeychain yes

With AddKeysToAgent yes, the first SSH use in a session prompts for the passphrase and loads the key automatically — no manual ssh-add needed. With UseKeychain yes on macOS, the passphrase is persisted in the Keychain across reboots.

Fish shell note

Fish shell does not source /etc/profile or ~/.bashrc, so SSH_AUTH_SOCK may not be set if ssh-agent is started from a bash-style init file. Ensure ssh-agent is started (or the macOS launchd agent is active) before relying on AddKeysToAgent. A ~/.config/fish/conf.d/ssh-agent.fish snippet can handle this:

# Ensure ssh-agent socket is available in Fish
if not set -q SSH_AUTH_SOCK
    eval (ssh-agent -c)
end

Related Concepts

• wiki/concepts/fish-shell-path-config — Fish shell init files and PATH configuration; relevant when ssh-agent env vars aren't propagating
• wiki/concepts/remote-server-dotfiles-bootstrap — Full dotfiles bootstrap including SSH config deployment to remote servers
• wiki/concepts/git-includeif-per-remote — Per-remote git identity config, which also relies on SSH key selection working correctly

Sources

• daily/2026-04-30.md — Forgejo SSH key ~/.ssh/Forgejo wasn't loading; no identity pubkey loaded diagnosed passphrase+agent issue; ssh-add fixed it for the session; AddKeysToAgent yes + UseKeychain yes added to ~/.ssh/config for persistence