I'd like to use a key-based ssh login with a passphrase being prompted every time I log in. I'm asking in regards to ssh client on the Linux machine. How can I achieve it?

I know that I can ssh-add my private key to the authentication agent. And it'll ask for the passphrase for the given private key only once during this process. Afterwards I'll be able to log in to the remote machine without ever being asked for the passphrase. But that's not what I want.

When I'm trying to log in without adding my key to authentication agent with ssh-add I keep getting an error: "Agent admitted failure to sign using the key."

As a couple examples of what I want: by default on my Windows machine when I use Putty or WinSCP to connect to remote host, both programs ask me for the passphrase for the given key every time I log in.


  • Perhaps I misunderstand your question however if you have a passphrase-protected SSH key that you specify in your Putty connection profile for the host in question, it will prompt you for the passphrase upon every connection attempt. The only way that this will not be the case is if you're running an SSH agent on your local machine which has already unlocked your SSH private key using a passphrase.
    – Garrett
    Commented Jan 26, 2014 at 17:53
  • That's right, Putty prompts me for the passphrase upon every connection attempt. I'm file with that and don't want to change it. My question was how can I get the same behaviour on Linux machine while logging in with ssh client. I seem to find the answer for this question and will post it below.
    – golem
    Commented Jan 26, 2014 at 18:19
  • It turned out that due to some limitation I can't answer my own question yet. So I'll just leave it as a comment. The solution I found is to set the SSH_AUTH_SOCK=0 environment variable. That disables using ssh-agent and I'm being prompted for the key passphrase every time I log in.
    – golem
    Commented Jan 26, 2014 at 18:24
  • You don't need to start an SSH agent at all. If you generated the SSH private/public keypair on your local machine all you need to do is SSH to the remote host (ssh user@host) and you will be prompted for your passphrase.
    – Garrett
    Commented Jan 26, 2014 at 18:34
  • On my system (Debian 7.3) ssh-agent actually starts automatically with a system startup. After some research on how to disable it I stumbled upon this nice blog post which guides on how to disable that unwanted behaviour of ssh-agent -- dtek.net/blog/…
    – golem
    Commented Jan 26, 2014 at 19:14

1 Answer 1


you could generate a key protected with a password. so even if the authentication is key-based in order for that to happen you will have to enter the certificate password

edit: and don't use ssh agent ;) (though i am not sure if ssh agent cache also the certificate's password)

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .