I've ran into a similar situation. Looking at PROTOCOL.agent for SSH version 2, you can obtain the key blob with SSH2_AGENTC_REQUEST_IDENTITIES, and remove that identity with SSH2_AGENTC_REMOVE_IDENTITY. This means with within the SSH agent protocol the key files are not needed to remove the key. I have another user case for this functionality: I've written a SSH agent proxy which permits authorized users access to a common set of identities, and in some cases a user has access to too many identities to complete authentication in the permitted number of authentication attempts. In this case the proxy would not remove the shared identity, but temporarily block it from that users view. Dustin Lundquist On Fri, Jan 1, 2016 at 9:43 PM, Matthew Boedicker <matthewm@xxxxxxxxxxxxx> wrote: > ssh-agent does not allow you to remove individual keys without having the > key file that was added. To remove these keys the user must remove all keys > with ssh-add -D. > > Would a patch to make ssh-add skip the existence check for the file be > considered? > > The specific use case is that a USB drive is mounted with the key, the key > is added to the agent then the USB drive is unmounted. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
