Re: Defering passphrase entry with ssh-add

> Perhaps there's limitation is in the way that ssh communicates with 
> the agent.
>
> Chris
I suspect this is true, it checks for valid credentials in the agent but 
continues with other Preferred Authentication mechanisms if not found 
(ie password prompt). I suspect it is not in the habit of calling the 
agent to add keys, only to check if it currently has keys. There are 
several drawbacks to ssh adding all keys it found every time you tried 
an ssh session:

1. You could have unprotected keys being cached, a potential security 
threat, especially if someone else has root access to that machine, they 
now have access to all your other machines too (and your own machines 
outside your company if you use the same key) or you'd be prompted he 
Perhaps ssh itself needs to be adjusted to do this,

2. You could be prompted for a key passphrase, enter it, the key may not 
be valid for that remote machine and you'd get 2 password prompts for 1 
connection, which is wasteful and annoying.

3. You could dismiss the passphrase prompt, causing the key loading to 
fail and therefore be bothered by this thing retrying every single time 
you open an ssh connection, which for some of us is countless times a day...

The only way to prevent these conditions would be to decide whether ssh 
tries to load key behaviours, and this would require a switch of some 
kind, but I don't remember seeing such a switch anywhere.

So for now, I think the bash solution is the best one. Until the ssh 
guys write this feature in, if it is not already in the package somewhere...

-h

Hari Sekhon