SSH - Public Key Authentication

authorized key
public key permitted for logging in
identity key, identity
private key
default identities
~/.ssh/id_rsa, ~/.ssh/id_dsa, etc.


The SSH protocol supports many authentication methods. Arguably one the most important of these is public key authentication for interactive and automated connections.


When the user logs in, ssh tells the server which key pair it would like to use for authentication. The client proves that it has access to the private key and the server checks that the corresponding public key is authorized to accept the account.

each host entry in SSH config (~/.ssh/config) has IdentityFile option which specifies the path to identity file for this host.

SSH client uses SSH config to decide which identity to use by looking up required host in SSH config and reading its IdentityFile option.

SSH client then asks SSH agent to provide this identity to authenticate login to remote server - AFAIU identity is identified either by its file path or corresponding public key (both are shown in ssh-add -L output).

SSH agent

man 1 ssh-agent

The agent will never send a private key over its request channel. Instead, operations that require a private key will be performed by the agent, and the result will be returned to the requester. This way, private keys are not exposed to clients using the agent.

UPDATE (2019-07-01)

SSH agent is started automatically upon the first usage of ssh - there’s no need to set up anything.

manual setup

automatic setup