Thanks Damien. It's good to know that this is possible and how to do it. It might be nice if ssh-add did this for you during ssh-add -d. Is there any reason it couldn't always get the key blob from the agent and send it back for removal instead of using the filesystem? On Sun, Jan 3, 2016 at 11:25 PM, Damien Miller <djm@xxxxxxxxxxx> wrote: > On Fri, 1 Jan 2016, Matthew Boedicker wrote: > > > ssh-agent does not allow you to remove individual keys without having the > > key file that was added. To remove these keys the user must remove all > keys > > with ssh-add -D. > > No, you only need the public key and you can get that from the agent > itself if you don't happen to have it laying around. > > [djm@fuyu tmp]$ ssh-keygen -q -t ed25519 -f k1 -N '' > [djm@fuyu tmp]$ ssh-keygen -q -t ed25519 -f k2 -N '' > [djm@fuyu tmp]$ ssh-add k1 k2 > Identity added: k1 (djm@xxxxxxxxxxxxxxxx) > Identity added: k2 (djm@xxxxxxxxxxxxxxxx) > [djm@fuyu tmp]$ ssh-add -L > ssh-ed25519 > AAAAC3NzaC1lZDI1NTE5AAAAIKJmyuVthrSvC6RMly/gJyAd1oFo8NggUUAV0JKvW9V4 > djm@xxxxxxxxxxxxxxxx > ssh-ed25519 > AAAAC3NzaC1lZDI1NTE5AAAAIFk1eV8abvdBGAJINxDZ2fK9btsLUlHmPL9DPBDhh/MP > djm@xxxxxxxxxxxxxxxx > [djm@fuyu tmp]$ rm k1* k2* > [djm@fuyu tmp]$ ssh-add -L | head -1 > k1.pub > [djm@fuyu tmp]$ ssh-add -d k1 > Identity removed: k1 (djm@xxxxxxxxxxxxxxxx) > [djm@fuyu tmp]$ ssh-add -L > ssh-ed25519 > AAAAC3NzaC1lZDI1NTE5AAAAIFk1eV8abvdBGAJINxDZ2fK9btsLUlHmPL9DPBDhh/MP > djm@xxxxxxxxxxxxxxxx > > -d > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev