Return to Answer

Basically, what ssh-agent does, is that it starts itself in the background, and prints a bunch of environment variables that the ssh client utility uses to know how to reach the agent (mostly the path of the socket in SSH_AUTH_SOCK). If you start the agent again, you get multiple copies running, but you can usually reach only one from a single shell... (check with something like ps uax | grep agent to see how many you are running.) When ssh-add is run, it contacts the agent, and asks it to read a key to memory. After that any ssh clients that connect to the same ssh-agent instance can take advantage of the saved key.

Couple of choices to run only one ssh-agent:

1. Start ssh-agent before you start your tmux session (or screen for that matter). The environment variables set at that point should be inherited to all shells you run under tmux or screen. (I don't know if tmux needs special configuration to not clean environment variables.)

I've been (the wrong type of) lazy, so I've just done that manually each time before starting my screen session, but it would be easy to create a script to both start the agent and then the screen/tmux session.

If you consider something like a graphical desktop environment, you should start the agent when the DE starts, if possible, so that the environment variables will be available to any terminals you start.

2. Create a script that checks if an ssh-agent is running, and if not, starts it, saving the environment variables to a file. If it is running, the script can then read the same variables from the file. Source the script from the shell's .profile (or .bashrc) or equivalent. (Source, as in with . myagentscript.sh)

In either case, the issue is with pointing the environment variables to the same ssh-agent. Any keys you add to one instance of the agent should be visible to all users of the same agent, regardless of if what shell you ssh-add them from.

As an aside, ssh-add can take an argument to define how long the keys shall be saved: running ssh-add -t 3600 my-key-file will tell the agent to forget about the key after an hour. This may be useful to reduce the time during which the keys are unencrypted in memory.

Basically, what ssh-agent does, is that it starts itself in the background, and prints a bunch of environment variables that the ssh client utility uses to know how to reach the agent (mostly the path of the socket in SSH_AUTH_SOCK). If you start the agent again, you get multiple copies running, but you can usually reach only one from a single shell... (check with something like ps uax | grep agent to see how many you are running.) When ssh-add is run, it contacts the agent, and asks it to read a key to memory. After that any ssh clients that connect to the same ssh-agent instance can take advantage of the saved key.

Couple of choices to run only one ssh-agent:

1. Start ssh-agent before you start your tmux session (or screen for that matter). The environment variables set at that point should be inherited to all shells you run under tmux or screen. (I don't know if tmux needs special configuration to not clean environment variables.)

I've been (the wrong type of) lazy, so I've just done that manually each time before starting my screen session, but it would be easy to create a script to both start the agent and then the screen/tmux session.

If you consider something like a graphical desktop environment, you should start the agent when the DE starts, if possible, so that the environment variables will be available to any terminals you start.

2. Your system may already start an ssh-agent when you log in. In that case you should be able to just ssh-add keys to it without starting a new copy of the agent. In particular OS X starts an agent when logging in, and has modified SSH tools that ask for the key passphrase through the GUI and automatically save keys used on the ssh command to the agent. You can also use ssh-add as usual.

3. If you want to use a single agent from completely separate shells (and therefore cannot inherit the environment variables), check if the agent is running from your shell's startup scripts, and start it if not. Either save the agent's socket address to a file, or use a fixed path to the socket.

In any case, the issue is with pointing the environment variables to the same ssh-agent. Any keys you add to one instance of the agent should be visible to all users of the same agent, regardless of if what shell you ssh-add them from.

As an aside, ssh-add can take an argument to define how long the keys shall be saved: running ssh-add -t 3600 my-key-file will tell the agent to forget about the key after an hour. This may be useful to reduce the time during which the keys are unencrypted in memory.

Basically, what ssh-agent does, is that it starts itself in the background, and prints a bunch of environment variables that the ssh client utility uses to know how to reach the agent (mostly the path of the socket in SSH_AUTH_SOCK). If you start the agent again, you get multiple copies running, but you can usually reach only one from a single shell... (check with something like ps uax | grep agent to see how many you are running.) When ssh-add is run, it contacts the agent, and asks it to read a key to memory. After that any ssh clients that connect to the same ssh-agent instance can take advantage of the saved key.

Couple of choices to run only one ssh-agent:

1. Start ssh-agent before you start your tmux session (or screen for that matter). The environment variables set at that point should be inherited to all shells you run under tmux or screen. (I don't know if tmux needs special configuration to not clean environment variables.)

I've been (the wrong type of) lazy, so I've just done that manually each time before starting my screen session, but it would be easy to create a script to both start the agent and then the screen/tmux session.

If you consider something like a graphical desktop environment, you should start the agent when the DE starts, if possible, so that the environment variables will be available to any terminals you start.

2. Create a script that checks if an ssh-agent is running, and if not, starts it, saving the environment variables to a file. If it is running, the script can then read the same variables from the file. Source the script from the shell's .profile (or .bashrc) or equivalent. (Source, as in with . myagentscript.sh`)

In either case, the issue is with pointing the environment variables to the same ssh-agent. Any keys you add to one instance of the agent should be visible to all users of the same agent, regardless of if what shell you ssh-add them from.

As an aside, ssh-add can take an argument to define how long the keys shall be saved: running ssh-add -t 3600 my-key-file will tell the agent to forget about the key after an hour. This may be useful to reduce the time during which the keys are unencrypted in memory.

Basically, what ssh-agent does, is that it starts itself in the background, and prints a bunch of environment variables that the ssh client utility uses to know how to reach the agent (mostly the path of the socket in SSH_AUTH_SOCK). If you start the agent again, you get multiple copies running, but you can usually reach only one from a single shell... (check with something like ps uax | grep agent to see how many you are running.) When ssh-add is run, it contacts the agent, and asks it to read a key to memory. After that any ssh clients that connect to the same ssh-agent instance can take advantage of the saved key.

Couple of choices to run only one ssh-agent:

1. Start ssh-agent before you start your tmux session (or screen for that matter). The environment variables set at that point should be inherited to all shells you run under tmux or screen. (I don't know if tmux needs special configuration to not clean environment variables.)

I've been (the wrong type of) lazy, so I've just done that manually each time before starting my screen session, but it would be easy to create a script to both start the agent and then the screen/tmux session.

If you consider something like a graphical desktop environment, you should start the agent when the DE starts, if possible, so that the environment variables will be available to any terminals you start.

2. Create a script that checks if an ssh-agent is running, and if not, starts it, saving the environment variables to a file. If it is running, the script can then read the same variables from the file. Source the script from the shell's .profile (or .bashrc) or equivalent. (Source, as in with . myagentscript.sh)

In either case, the issue is with pointing the environment variables to the same ssh-agent. Any keys you add to one instance of the agent should be visible to all users of the same agent, regardless of if what shell you ssh-add them from.

As an aside, ssh-add can take an argument to define how long the keys shall be saved: running ssh-add -t 3600 my-key-file will tell the agent to forget about the key after an hour. This may be useful to reduce the time during which the keys are unencrypted in memory.

Couple of choices:

1. Start ssh-agent before you start your tmux session (or screen for that matter). The environment variables set at that point should be inherited to all shells you run under tmux or screen. (I don't know if tmux needs special configuration to not clean environment variables, but I can't see why it would.)

I've been (the wrong type of) lazy, so I've just done that manually each time before starting my screen session, but it would be easy to create a script to both start the agent and then the screen/tmux session.

2. Create a script that checks if an ssh-agent is running, and if not, starts it, saving the environment variables to a file. If it is running, the script can then read the same variables from the file. Source the script from the shell's .profile or equivalent. (Source, as in with . myagentscript.sh)

In either case, the issue is with pointing the environment variables to the same ssh-agent. Any keys you add to one instance of the agent should be visible to all users of the same agent, regardless of if what shell you ssh-add them from.

Basically, what ssh-agent does, is that it starts itself in the background, and prints a bunch of environment variables that the ssh client utility uses to know how to reach the agent (mostly the path of the socket in SSH_AUTH_SOCK). If you start the agent again, you get multiple copies running, but you can usually reach only one from a single shell... (check with something like ps uax | grep agent to see how many you are running.) When ssh-add is run, it contacts the agent, and asks it to read a key to memory. After that any ssh clients that connect to the same ssh-agent instance can take advantage of the saved key.

Couple of choices to run only one ssh-agent:

1. Start ssh-agent before you start your tmux session (or screen for that matter). The environment variables set at that point should be inherited to all shells you run under tmux or screen. (I don't know if tmux needs special configuration to not clean environment variables.)

I've been (the wrong type of) lazy, so I've just done that manually each time before starting my screen session, but it would be easy to create a script to both start the agent and then the screen/tmux session.

If you consider something like a graphical desktop environment, you should start the agent when the DE starts, if possible, so that the environment variables will be available to any terminals you start.

2. Create a script that checks if an ssh-agent is running, and if not, starts it, saving the environment variables to a file. If it is running, the script can then read the same variables from the file. Source the script from the shell's .profile (or .bashrc) or equivalent. (Source, as in with . myagentscript.sh`)

In either case, the issue is with pointing the environment variables to the same ssh-agent. Any keys you add to one instance of the agent should be visible to all users of the same agent, regardless of if what shell you ssh-add them from.

As an aside, ssh-add can take an argument to define how long the keys shall be saved: running ssh-add -t 3600 my-key-file will tell the agent to forget about the key after an hour. This may be useful to reduce the time during which the keys are unencrypted in memory.