Making ssh-add -d work

Periodically, I end up with my SSH agent tracking an absurd number of keys, many of them no longer relevant, and wish to remove them. In my experience, ssh-add -d /path/to/keyfile rarely works. Today, with a bit of help from Erik, I figured out why I get annoying stuff like this:

$ ssh-add -d /Users/matthew.wagner/.ssh/cpanel-east.pem
Bad key file /Users/matthew.wagner/.ssh/cpanel-east.pem: No such file or directory

That key file exists, is loaded in ssh-agent, and has the correct permissions. The issue is that -d expects a public key, even though ssh-add -l doesn’t list those.

If you have a .pub version of the key, ssh-add -d will automatically find it and remove it. In some cases, I don’t have the public key, such as keys downloaded from AWS. The good news is, it’s easy to generate them:

$ ssh-keygen -y -f ~/.ssh/cpanel-east.pem > ~/.ssh/

Removal is then a breeze: $ ssh-add -d /Users/matthew.wagner/.ssh/cpanel-east.pem
Identity removed: /Users/matthew.wagner/.ssh/cpanel-east.pem (/Users/matthew.wagner/.ssh/

tl;dr – If ssh-add -d says it can’t remove a key that plainly exists, you need to generate a public key for it.

4 thoughts on “Making ssh-add -d work

Leave a Reply

Your email address will not be published. Required fields are marked *

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    Markdown is turned off in code blocks:
     [This is not a link](

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see