How can I make SSH with an identity file always demand a password?

Nico Kadel-Garcia nkadel at
Sun Aug 22 13:21:49 AEST 2021

On Sat, Aug 21, 2021 at 5:32 PM hvjunk <hvjunk at> wrote:
> > On 21 Aug 2021, at 22:19 , matthewhtb at wrote:
> >
> > Hello,
> >
> > I hope my question is apt for this list.
> >
> > I am using OpenSSH_8.2p1 on Ubuntu 20.04.
> >
> > I connect to a remote SSH server with the -i /path/to/file identity file
> > option. My local machine asks me for a password for the identity file.
> > This is because I created a password when using ssh-keygen.
> >
> > However, after I exit from the SSH server, and log back in I am not asked
> > for a password. Some kind of caching is happening.
> It gets loaded into the ssh-agent for things ssh forwarding

Many window managers now include an ssh-agent by default. It can be
startling, and destructive when you need to use a particular key for
things like SSH keys for particular git repos.

> > Is there a way to force the password to be asked on every occasion when
> > using an identity file?
> unload it from the ssh agent, or remove the ssh agent.

Which OS and window manager are you using? The "ssh-agent -D" command
should always work, but some "wallets" will just keep reloading the
!@#$ keys when running your GUI. Ripping out that "wallet" by the
roots may help.

You might want to turn off "AddKeysToAgent" in your ~/.ssh/config
file, to keep from adding that key to your agents accidentally. Use
"man ssh_config" to review that documenttion, it can be disabled for
all hosts or on a target basis.

> > I have searched but it looks as if everyone wants to avoid using
> > passwords, not deliberately attempting to use them.
> jumping twenty times an hour between 100 different instances behind jumphosts, you do tend to
> focus on only protecting the ssh-agent/key when you aren’t at your desk or the laptop/etc. gets stolen, not while you need to
> connect to lots of hosts to type in that 20+ character pass phrase.
> I recall there are various settings in the GUI/desktop managers to unload the keys when the screen locker activates

Those are often referred to as "wallets", and yeah. It's distinct from
wallet to wallet. A command to do "ssh-agent -D"

More information about the openssh-unix-dev mailing list