On 2016-08-03, Hugo Osvaldo Barrera <h...@barrera.io> wrote: > Doesn't the fact that ssh-agent is running somehow make the keys > accessible anyway?
If it's running and you haven't told it to forget the keys one way or another: yes. Some screen lockers allow you to run another program; one thing you can do is run "ssh-add -D" to kill the keys when you lock. Alternatively when you start ssh-agent you can use the -t flag to set the lifetime of the key; if you do this ssh-agent will expire added keys automatically after this timeout. (for the latter if you use xdm you'll need to edit Xsession). By itself this can be annoying as you normally have to run ssh-add to add the keys back in before you can use them. But if you use "AddKeysToAgent yes", ssh will prompt you for the key passphrase when it needs it (i.e. after the lock/timeout) and add them to the agent automatically. So it works rather like sudo's password timeout - very convenient, and it avoids the keys hanging around in your agent for longer than needed.