How to detect if key ssh-add'ed with '-c' or without?

Damien Miller djm at
Fri Aug 31 22:49:32 EST 2012

On Fri, 31 Aug 2012, n3rd at wrote:

> Hi all. Some background: I'm using my own wrapper script for ssh that
> deals with multitude of IP addresses, user accounts, keys and other
> ssh parameters for bunch of managed hosts.
> On X session start i (actually, my script) load all my private keys
> with 'ssh-add -c', to get confirmation on every key usage.
> This works bad with autossh, so i would like to add some logic: if I
> specify to run autossh with some host/user/key, the scipt will reload
> the private key without -c option (asking me for password). And maybe
> at the end of autossh session, reload the key back with 'ssh-add -c'.
> So, how can i detect if key loaded with -c option or without?

You can't, and you won't without a protocol extension to ssh-agent.
At the moment the key query message and responses don't have fields
to indicate whether any constraints were set. See PROTOCOL.agent
in the OpenSSH source for details.

It probably wouldn't be something that one would want to advertise to
an attacker anyway, as stumbing over keys that require confirmation
is the sort of thing that gives them away...

> My last guess is such: before actually start autossh it's possible to
> set some small script at SSH_ASKPASS, try to use the key, and if that
> script is launched, it means i need to reload the key without '-c'.
> Ugly.

Worse, it won't work - SSH_ASKPASS needs to be set for ssh-agent, not
ssh-add. So you can't reset it easily like this.

> PS: BTW there is also no way to get key expiration time (if set
> with 'ssh-add -t').

Same problem - expiration times are key constrains like confirm-required.


More information about the openssh-unix-dev mailing list