"Could not open a connection to your authentication agent" means the SSH agent isn't running or SSH_AUTH_SOCK isn't set. Start the agent with eval and add your key.
SSH uses an agent process to securely hold your private keys in memory and provide them to SSH clients when needed for authentication. When you run ssh-add or try to authenticate via SSH (for example with Git), the SSH client looks for the agent via the SSH_AUTH_SOCK environment variable. If the agent isn't running or that variable isn't set, you get this error. This is a configuration issue, not a key or permissions problem.
The SSH agent must be started and its environment variables exported to your shell. Use the eval command to do this correctly:
eval $(ssh-agent -s)Or if you're using a C-shell compatible shell (csh/tcsh):
eval `ssh-agent -c`Or if you're using fish shell:
ssh-agent /usr/bin/fishThe eval command is critical: it ensures the SSH_AUTH_SOCK and SSH_AGENT_PID environment variables are exported to your current shell. Simply running ssh-agent alone won't set up these variables for your session.
After starting the agent, verify the environment variables are set:
echo $SSH_AUTH_SOCK
echo $SSH_AGENT_PIDBoth should print non-empty values. If they're empty, ssh-agent didn't start correctly. Try the previous step again or check for errors in the output.
You can also list running SSH agents:
ps aux | grep ssh-agentYou should see a process such as: /usr/bin/ssh-agent
Once the agent is running, add your private key to it. For the default key location:
ssh-add ~/.ssh/id_ed25519If your key has a different name or location (for example ~/.ssh/id_rsa), replace the path accordingly.
You may be prompted for the key's passphrase (if it has one). After entering it, the key is loaded into the agent and won't require the passphrase again during this session.
Verify the key was added:
ssh-add -lThis lists all keys currently loaded in the agent.
To avoid manually starting the agent each time you open a terminal, add initialization code to your shell configuration file.
For bash, add this to ~/.bashrc:
if [ -z "$SSH_AUTH_SOCK" ]; then
eval $(ssh-agent -s)
ssh-add ~/.ssh/id_ed25519 2>/dev/null
fiFor zsh, add this to ~/.zshrc:
if [ -z "$SSH_AUTH_SOCK" ]; then
eval $(ssh-agent -s)
ssh-add ~/.ssh/id_ed25519 2>/dev/null
fiFor fish, add this to ~/.config/fish/config.fish:
if not set -q SSH_AUTH_SOCK
eval (ssh-agent -c)
ssh-add ~/.ssh/id_ed25519 2>/dev/null
endThe if check prevents starting multiple agents if you open multiple terminals. After editing your shell config, reload it:
source ~/.bashrc # or ~/.zshrc, ~/.config/fish/config.fishOn macOS, prefer the system-managed agent and load keys into the Keychain instead of starting your own agent in shell config:
ssh-add --apple-use-keychain ~/.ssh/id_ed25519If you're using systemd on Linux (most modern distributions), enable the SSH agent socket:
systemctl --user enable --now ssh-agent.socketIf this succeeds, you should no longer need to manually start ssh-agent.
For GNOME desktop users on recent systems with GNOME Keyring v46+, the SSH agent functionality may be in a separate package. Check if gcr-ssh-agent is active:
systemctl --user status gcr-ssh-agent.socketIf it's not active, enable it:
systemctl --user enable --now gcr-ssh-agent.socketThen set the SSH_AUTH_SOCK environment variable in your shell config:
export SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/gcr/sshWindows users with OpenSSH installed may need to enable the SSH Agent service.
1. Open Services (press Win + R, type services.msc, and press Enter)
2. Look for "OpenSSH Authentication Agent"
3. If it's stopped, right-click and select "Start"
4. Set the startup type to "Automatic" (or "Manual" if you prefer to start it on demand)
Alternatively, start it from PowerShell as administrator:
Start-Service ssh-agentTo have it start at boot:
Set-Service ssh-agent -StartupType AutomaticIf the service doesn't exist, ensure OpenSSH for Windows is properly installed.
Sometimes the SSH_AUTH_SOCK environment variable points to a socket file that no longer exists (stale socket).
Check whether the socket file exists:
ls -la $SSH_AUTH_SOCKIf you get "No such file or directory," the socket is stale. Unset the variables and restart the agent:
unset SSH_AUTH_SOCK
unset SSH_AGENT_PID
eval $(ssh-agent -s)
ssh-add ~/.ssh/id_ed25519This clears any stale references and starts a fresh agent.
Advanced troubleshooting:
Multiple SSH Keys: If you have multiple SSH keys (for example personal and work), add them all to the agent:
ssh-add ~/.ssh/id_ed25519
ssh-add ~/.ssh/id_work
ssh-add -l # List all loaded keysDifferent hosts can then use different keys automatically based on your SSH config entries.
SSH Config File: Use ~/.ssh/config to specify which key to use for which host. Adding IdentitiesOnly yes prevents the agent from offering every loaded key (which can trip MaxAuthTries on the server):
Host github.com
IdentityFile ~/.ssh/id_ed25519
IdentitiesOnly yes
User git
Host work-server
IdentityFile ~/.ssh/id_work
IdentitiesOnly yes
User usernameReaching servers behind a bastion (prefer ProxyJump over agent forwarding): If you need to reach an internal host through a jump/bastion host, use ProxyJump (-J). It does not expose your agent to the intermediate host, because authentication to each hop happens from your local machine over a tunneled connection:
ssh -J user@bastion user@internal-hostOr in ~/.ssh/config:
Host internal-host
ProxyJump user@bastion
User userSSH Agent Forwarding (convenient but risky): Agent forwarding (ssh -A) lets a remote host use your local agent's keys without copying the keys to that host:
ssh -A user@remote-hostHowever, forwarding is a real security risk and should not be treated as "more secure." While you are connected, anyone with root on the remote host (or any process that can read the forwarded socket at $SSH_AUTH_SOCK there) can hijack your agent and authenticate to other systems as you for the lifetime of the connection. Prefer ProxyJump above. If you must forward an agent, only do so to hosts you fully trust, scope it to specific hosts in ~/.ssh/config (ForwardAgent yes under a single Host entry, never globally), require confirmation on each use by adding keys with ssh-add -c, and consider ssh-add -t <seconds> to auto-expire keys.
Debugging SSH Agent Issues: Increase verbosity to see detailed debugging output:
ssh-add -v ~/.ssh/id_ed25519
ssh -vvv user@hostLook for lines mentioning "SSH_AUTH_SOCK" or "agent" to diagnose agent-related issues.
sign_and_send_pubkey: no mutual signature supported
How to fix "sign_and_send_pubkey: no mutual signature supported" in SSH
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
How to fix SSH man-in-the-middle attack warning in SSH
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
How to fix "WARNING: UNPROTECTED PRIVATE KEY FILE!" in SSH
sign_and_send_pubkey: signing failed for RSA from agent: agent refused operation
How to fix "sign_and_send_pubkey: signing failed for RSA from agent: agent refused operation" in SSH
Bad owner or permissions on /home/user/.ssh/known_hosts
How to fix "Bad owner or permissions on known_hosts" in SSH