Search code examples
gitgithubssh-keysssh-agent

Can we skip the part about "Adding your SSH key to the ssh-agent" but just generate the key and add to GitHub?

I have always just generated the ssh key, and then add it to GitHub and it is done: I can clone or push to GitHub and do all the tasks.

But nowadays I see "Adding your SSH key to the ssh-agent", and I can skip the whole part and everything still seems to works. Why is this needed and what happens if this step is not done?

Solution

  • You do not have to use an SSH agent.

    There are often some good reasons to use an agent. Much of this depends on how much you trust each computer in the chain of computers you use, as you go from whichever system you're running your interactive shell command session on, to the one you run git fetch or whatever other command on.

    See the answer phd linked, or the full question and answer over on https://unix.stackexchange.com/q/72552/162084, for a description of what the agent does for you.

    The one constant here is that you must trust at least one machine to hold your private key (of the private/public key-pair) for you. You can encrypt the private key as well, so that you don't have to trust that machine 100%—you need only trust it enough to get the encrypted key installed in the first place.

    If you have encrypted the key, you must enter the password/passphrase to decrypt it every time you need it. Using the agent, you can decrypt the key once into the agent, then let the agent deal with it.

    If you use a chain of computers, you can use ssh <machine> and let agent forwarding send various key-oriented requests back to the original machine (on which you've decrypted a key into an agent). These requests themselves don't actually send the key, so that the private key remains secret, now known only to you and the agent. (Well, you, the agent, and any spies that have corrupted you and/or the agent and/or inserted a covert channel at any point at which it's possible to capture the secret key.)

    If you have not encrypted your private key and have it stored directly on the computer that is issuing Git operations to GitHub, there's no need for an agent. If you're using a deploy key for a machine user you probably just want to store this private key unencrypted: the purpose of such a key is to allow processes on the machine to access it without any extra hoop-jumping. But the relatively low security level of such a key is why it's a machine user and deploy key that is only used by this one system: if it becomes compromised, you just throw it away and generate a new deploy key. Only the machine uses it so the machine automatically uses the new one.