How to Extract Public Key from SSH Agent: Retrieving Full Key After ssh-add


3 views

When working with SSH authentication, you might add your private key to ssh-agent using:

ssh-add ~/.ssh/id_rsa

While ssh-add -l shows key fingerprints, it doesn't display the complete public key. This becomes problematic when you need to:

  • Distribute your public key to servers
  • Backup or migrate your credentials
  • Verify the exact key being used

The most reliable method involves using ssh-keygen with the agent's key reference:

ssh-add -L | ssh-keygen -f /dev/stdin -e -m PKCS8

This pipeline:

  1. Gets the agent's key data with ssh-add -L
  2. Pipes it to ssh-keygen for conversion
  3. Outputs in PEM format (use -m PEM for traditional format)

If you still have access to the original key files:

ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

This generates the public key from the private key file, which should match what's in your agent.

To ensure you've extracted the correct key:

# Compare fingerprint
ssh-keygen -lf <(ssh-add -L)
ssh-keygen -lf ~/.ssh/id_rsa.pub

Common issues and fixes:

  • Permission errors: Ensure ~/.ssh has 700 permissions
  • Agent not running: Start with eval $(ssh-agent)
  • Multiple keys: Use ssh-add -L | grep "your@email" to filter

When working with SSH authentication, ssh-agent stores private keys in memory but doesn't directly expose the corresponding public keys. This becomes problematic when you need to distribute your public key after adding the private key to the agent.

While ssh-add -l shows key fingerprints, retrieving the actual public key isn't straightforward. The agent's design intentionally limits key exposure for security reasons, requiring alternative approaches.

The most reliable method involves using ssh-keygen to extract the public key from the private key file that was added to the agent:

ssh-keygen -y -f ~/.ssh/id_rsa > id_rsa.pub

This command:

  • -y: Outputs public key from private key
  • -f: Specifies the private key file
  • Redirects output to create a public key file

If you don't have the original private key file but need to extract from the agent:

ssh-add -L | grep "your-key-comment" > extracted_key.pub

Note: This depends on your SSH version supporting -L output (OpenSSH typically does).

For systems where neither method works:

# Generate temp key
ssh-keygen -t rsa -b 4096 -f temp_key -N ""

# Add to agent
ssh-add temp_key

# Extract public key
ssh-keygen -y -f temp_key > temp_key.pub

# Clean up
ssh-add -d temp_key
rm temp_key temp_key.pub

Always verify extracted keys match the agent's fingerprint:

ssh-keygen -lf extracted_key.pub
ssh-add -l

The fingerprint hashes should match exactly.

Remember that public keys aren't sensitive - they're meant to be shared. The security risk comes from private key exposure, which these methods avoid by either:

  • Reading existing private key files (with user permissions)
  • Using the agent's limited public key export capability
  • Creating temporary disposable keys