This error occurs when you try to use an SSH key through ssh-add or during git operations, but the SSH agent is not running or the SSH_AUTH_SOCK environment variable is not set correctly. The SSH agent is responsible for managing your SSH keys and providing them to SSH clients when needed.
SSH uses an agent process to securely hold your private keys in memory and provide them to SSH clients when needed for authentication. When you run ssh-add or try to authenticate via SSH (like with Git), the SSH client looks for the agent via the SSH_AUTH_SOCK environment variable. If the agent isn't running or the variable isn't set, you get this error. This is a configuration issue, not a key or permissions problem.
The SSH agent must be started and its environment variables exported to your shell. Use the eval command to do this correctly:
eval $(ssh-agent -s)Or if you're using a C-shell compatible shell (csh/tcsh):
eval 'ssh-agent -c'Or if you're using fish shell:
ssh-agent /usr/bin/fishThe eval command is critical—it ensures the SSH_AUTH_SOCK and SSH_AGENT_PID environment variables are exported to your current shell. Simply running ssh-agent alone won't set up these variables for your session.
After starting the agent, verify the environment variables are set:
echo $SSH_AUTH_SOCK
echo $SSH_AGENT_PIDBoth should print non-empty values. If they're empty, the ssh-agent didn't start correctly. Try the previous step again or check for errors in the output.
You can also list running SSH agents:
ps aux | grep ssh-agentYou should see a process like: /usr/bin/ssh-agent
Once the agent is running, add your private key to it. For the default key location:
ssh-add ~/.ssh/id_rsaIf your key has a different name or location, replace ~/.ssh/id_rsa with the correct path.
You may be prompted for the key's passphrase (if it has one). After entering it, the key is loaded into the agent and won't require the passphrase again during this session.
Verify the key was added:
ssh-add -lThis lists all keys currently loaded in the agent.
To avoid manually starting the agent each time you open a terminal, add initialization code to your shell configuration file.
For bash, add this to ~/.bashrc:
if [ -z "$SSH_AUTH_SOCK" ]; then
eval $(ssh-agent -s)
ssh-add ~/.ssh/id_rsa 2>/dev/null
fiFor zsh, add this to ~/.zshrc:
if [ -z "$SSH_AUTH_SOCK" ]; then
eval $(ssh-agent -s)
ssh-add ~/.ssh/id_rsa 2>/dev/null
fiFor fish, add this to ~/.config/fish/config.fish:
if not set -q SSH_AUTH_SOCK
eval (ssh-agent -c)
ssh-add ~/.ssh/id_rsa 2>/dev/null
endThe if check prevents starting multiple agents if you open multiple terminals. After editing your shell config, reload it:
source ~/.bashrc # or ~/.zshrc, ~/.config/fish/config.fishIf you're using systemd on Linux (most modern distributions), enable the SSH agent socket:
systemctl --user enable --now ssh-agent.socketIf this succeeds, you should no longer need to manually start ssh-agent.
For GNOME desktop users on recent systems with GNOME Keyring v46+, the SSH agent functionality may be in a separate package. Check if gcr-ssh-agent is active:
systemctl --user status gcr-ssh-agent.socketIf it's not active, enable it:
systemctl --user enable --now gcr-ssh-agent.socketThen set the SSH_AUTH_SOCK environment variable in your shell config:
export SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/gcr/sshWindows users with OpenSSH installed may need to enable the SSH Agent service.
1. Open Services (press Win + R, type services.msc, and press Enter)
2. Look for "OpenSSH Authentication Agent"
3. If it's stopped, right-click and select "Start"
4. Set the startup type to "Manual" or "Automatic" (some users report "Manual" works better than "Auto")
Alternatively, start it from PowerShell as administrator:
Start-Service ssh-agentIf the service doesn't exist, ensure OpenSSH for Windows is properly installed.
Sometimes the SSH_AUTH_SOCK environment variable points to a socket file that no longer exists (stale socket).
Check if the socket file exists:
ls -la $SSH_AUTH_SOCKIf you get "No such file or directory," the socket is stale. Unset the variable and restart the agent:
unset SSH_AUTH_SOCK
unset SSH_AGENT_PID
eval $(ssh-agent -s)
ssh-add ~/.ssh/id_rsaThis clears any stale references and starts a fresh agent.
Advanced troubleshooting:
SSH Agent Forwarding: When connecting to a remote server via SSH and you want to use your local SSH keys on the remote system, use SSH agent forwarding with the -A flag:
ssh -A user@remote-hostThe remote server then has access to your local agent's keys without storing copies of your keys on the remote machine. This is more secure for developers who frequently jump between servers.
Multiple SSH Keys: If you have multiple SSH keys (e.g., personal and work), add them all to the agent:
ssh-add ~/.ssh/id_rsa
ssh-add ~/.ssh/id_work
ssh-add -l # List all loaded keysDifferent hosts can then use different keys automatically based on SSH config entries.
SSH Config File: Use ~/.ssh/config to specify which key to use for which host:
Host github.com
IdentityFile ~/.ssh/id_rsa
User git
Host work-server
IdentityFile ~/.ssh/id_work
User usernameDebugging SSH Agent Issues: Set -vvv flag on SSH commands to see detailed debugging output:
ssh-add -vvv ~/.ssh/id_rsa
ssh -vvv user@hostLook for lines mentioning "SSH_AUTH_SOCK" or "agent" to diagnose agent-related issues.
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH