Setting up Systemd to spawn ssh-agent and adding your keys

In this post I will show how you can configure ssh-agent to spawn from systemd and add your keys upon login

I’m using bastion hosts for my cloud infra and found this little hack to systemd to setup ssh-agent for my auth forwarding.

what is it?


systemd is an init system used in Linux distributions to bootstrap the user space and manage all processes subsequently, instead of the UNIX System V or Berkeley Software Distribution (BSD) init systems. The name systemd adheres to the Unix convention of naming daemons by appending the letter d.


SSH is a protocol allowing secure remote login to a computer on a network using public-key cryptography. … Therefore, users run a program called ssh-agent that runs the duration of a local login session, stores unencrypted keys in memory, and communicates with SSH clients using a Unix domain socket.

where to start

Create a systemd user service, by putting the following to ~/.config/systemd/user/ssh-agent.service:

Description=SSH key agent

ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK


Setup shell to have an environment variable for the socket (.bash_profile, .zshrc, …):

echo 'export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"' >> ~/.bash_profile

Enable the service, so it’ll be started automatically on login, and start it:

systemctl --user enable ssh-agent
systemctl --user start ssh-agent

Add the following configuration setting to your ssh config file ~/.ssh/config (this works since SSH 7.2):

echo 'AddKeysToAgent  yes' >> ~/.ssh/config

This will instruct the ssh client to always add the key to a running agent, so there’s no need to ssh-add it beforehand.