How to detect if key ssh-add'ed with '-c' or without?

n3rd at n3rd at
Fri Aug 31 23:18:37 EST 2012

Damien, thank you for fast response!

Ok, i will just keep list of keys loaded with '-c' in some /tmp/file, and will correct it in process.

-------- Original Message --------
From: Damien Miller <djm at>
To: n3rd at
Cc: openssh-unix-dev at
Subject: Re: How to detect if key ssh-add'ed with '-c' or without?
Date: Fri, 31 Aug 2012 22:49:32 +1000 (EST)

> On Fri, 31 Aug 2012, n3rd at wrote:
> > Hi all. Some background: I'm using my own wrapper script for ssh that
> > deals with multitude of IP addresses, user accounts, keys and other
> > ssh parameters for bunch of managed hosts.
> >
> > On X session start i (actually, my script) load all my private keys
> > with 'ssh-add -c', to get confirmation on every key usage.
> >
> > This works bad with autossh, so i would like to add some logic: if I
> > specify to run autossh with some host/user/key, the scipt will reload
> > the private key without -c option (asking me for password). And maybe
> > at the end of autossh session, reload the key back with 'ssh-add -c'.
> >
> > So, how can i detect if key loaded with -c option or without?
> You can't, and you won't without a protocol extension to ssh-agent.
> At the moment the key query message and responses don't have fields
> to indicate whether any constraints were set. See PROTOCOL.agent
> in the OpenSSH source for details.
> It probably wouldn't be something that one would want to advertise to
> an attacker anyway, as stumbing over keys that require confirmation
> is the sort of thing that gives them away...
> > My last guess is such: before actually start autossh it's possible to
> > set some small script at SSH_ASKPASS, try to use the key, and if that
> > script is launched, it means i need to reload the key without '-c'.
> > Ugly.
> Worse, it won't work - SSH_ASKPASS needs to be set for ssh-agent, not
> ssh-add. So you can't reset it easily like this.
> > PS: BTW there is also no way to get key expiration time (if set
> > with 'ssh-add -t').
> Same problem - expiration times are key constrains like confirm-required.
> -d

More information about the openssh-unix-dev mailing list