How to auto-update SSH agent environment variables when attaching to existing tmux sessions

There's an excellent gist by Martijn Vermaat, which addresses your problem in great depth, although it is intended for screen users, so I'm adjusting it for tmux here.

To summarize:

1. create ~/.ssh/rc if it doesn't exist yet, and add the following content:

   #!/bin/bash
   
   # Fix SSH auth socket location so agent forwarding works with tmux
   if test "$SSH_AUTH_SOCK" ; then
     ln -sf $SSH_AUTH_SOCK ~/.ssh/ssh_auth_sock
   fi
   

2. Make it work in tmux, add this to your ~/.tmux.conf:

   # fix ssh agent when tmux is detached
   setenv -g SSH_AUTH_SOCK $HOME/.ssh/ssh_auth_sock
   

Extra work is required if you want to enable X11 forwarding, see the gist.

While tmux updates SSH variables by default, there is no need to

• change/add socket path
• change the SSH_AUTH_SOCKET variable

I like the solution by Chris Down which I changed to add function

fixssh() {
    eval $(tmux show-env    \
        |sed -n 's/^\(SSH_[^=]*\)=\(.*\)/export \1="\2"/p')
}

into ~/.bashrc. Call fixssh after attaching session or before ssh/scp/rsync.

Newer versions of tmux support -s option for show-env, so only

eval $(tmux show-env -s |grep '^SSH_')

is possible.

Here's what I use for updating SSH_AUTH_SOCK inside a tmux window (based on Hans Ginzel's script):

alias fixssh='eval $(tmux showenv -s SSH_AUTH_SOCK)'

Or for tmux that does not have showenv -s:

alias fixssh='export $(tmux showenv SSH_AUTH_SOCK)'

Here is my solution which includes both approaches, and does not require extra typing when I reconnect to tmux session

alias ssh='[ -n "$TMUX" ] && eval $(tmux showenv -s SSH_AUTH_SOCK); /usr/bin/ssh'

There are lots of good answers here. But there are cases where tmux show-environment doesn't see SSH_AUTH_SOCK. In that case you can use find to locate it explicitly.

export SSH_AUTH_SOCK=$(find /tmp -path '*/ssh-*' -name 'agent*' -uid $(id -u) 2>/dev/null | tail -n1)

That's long and complicated, so I'll break it down...

01  export SSH_AUTH_SOCK=$(
02    find /tmp \
03      -path '*/ssh-*'
04      -name 'agent*'
05      -uid $(id -u)
06      2>/dev/null
07    | tail -n1
08  )

1. export the SSH_AUTH_SOCK environment variable set to the output of the $() command substitution
2. find files starting in /tmp
3. limit results to only those with /ssh- in the path
4. limit results to only those whose name begins with agent
5. limit results to only those with a user id matching the current user
6. silence all (permissions, etc.) errors
7. take only the last result if there are multiple

You may be able to leave off 6 & 7 if you know that there will only be 1 result and you don't care about stderr garbage.

I use a variation of the previous answers:

eval "export $(tmux show-environment -g SSH_AUTH_SOCK)"

assuming that you did the ssh agent started from the outer environment. Same goes for other environment variables such as DISPLAY.

I prefer to avoid configuring TMUX (etc) and keep everything purely in ~/.ssh/. On the remote system:

Create ~/.ssh/rc:

#!/bin/bash

# Fix SSH auth socket location so agent forwarding works within tmux
if test "$SSH_AUTH_SOCK" ; then
  ln -sf $SSH_AUTH_SOCK ~/.ssh/ssh_auth_sock
fi

Add following to ~/.ssh/config so it no longer relies on $SSH_AUTH_SOCK, which goes stale in detached terminals:

Host *
  IdentityAgent ~/.ssh/ssh_auth_sock

Known limitations

• ssh-add doesn't use ~/.ssh/config and so cannot communicate with ssh-agent. Commands like ssh-add -l produce errors, even though ssh user@host works fine, as does updating git remotes which are accessed via SSH.

I may have worked out a solution that is fully encapsulated in the ~/.tmux.conf configuration file. It is a different approach than modifying the ~/.bash_profile and ~/.ssh/rc.

Solution only using ~/.tmux.conf

Just cut and paste the following code into your ~/.tmux.conf

# ~/.tmux.conf

# SSH agent forwarding
#
# Ensure that SSH-Agent forwarding will work when re-attaching to the tmux
#   session from a different SSH connection (after a dropped connection).
#   This code will run upon tmux create, tmux attach, or config reload.
#
# If there is an SSH_AUTH_SOCK originally defined:
#   1) Remove all SSH related env var names from update-environment.
#      Without this, setenv cannot override variables such as SSH_AUTH_SOCK.
#      Verify update-environment with: tmux show-option -g update-environment
#   2) Force-set SSH_AUTH_SOCK to be a known location
#      /tmp/ssh_auth_sock_tmux
#   3) Force-create a link of the first found ssh-agent socket at the known location
if-shell '[ -n $SSH_AUTH_SOCK ]' " \
  set-option -sg update-environment \"DISPLAY WINDOWID XAUTHORITY\"; \
  setenv -g SSH_AUTH_SOCK /tmp/ssh_auth_sock_tmux; \
  run-shell \"ln -sf $(find /tmp/ssh-* -type s -readable | head -n 1) /tmp/ssh_auth_sock_tmux\" \
"

Caveat

The above solution along with the other solutions are susceptible to a race condition when initiating multiple connections to the same machine. Consider this:

• Client 1 Connect: SSH to machineX, start/attach tmux (writes ssh_auth_sock link)
• Client 2 Connect: SSH to machineX, start/attach tmux (overwrites ssh_auth_sock link)
• Client 2 Disconnect: Client 1 is left with a stale ssh_auth_sock link, thus breaking ssh-agent

However, this solution is slightly more resilient because it only overwrites the ssh_auth_sock link upon tmux start/attach, instead of upon initialization of a bash shell ~/.bash_profile or ssh connection ~/.ssh/rc

To cover this last race condition, one may add a key binding to reload the tmux configuration with a (Ctrl-b r) key sequence.

# ~/.tmux.conf

# reload config file
bind r source-file ~/.tmux.conf

From within an active tmux session, executing this sequence when the ssh_auth_sock link goes stale will refresh the ssh-agent connection.

In case other fish shell users are wondering how to deal with this when using fish (as well as for my future self!). In my fish_prompt I added a call to the following function:

function _update_tmux_ssh
  if set -q TMUX
    eval (tmux show-environment SSH_AUTH_SOCK | sed 's/\=/ /' | sed 's/^/set /')
  end
end

I suppose that more advanced *nix users would know how to replace sed with something better, but this works (tmux 3.0, fish 3.1).

After coming across so many suggestions, I finally figured out a solution that enables TMUX update the stale ssh agent after being attached. Basically, both the zshrc files on the local and remote machines need to be modified.

Insert the following codes into the local zshrc, which is based on this reference.

export SSH_AUTH_SOCK=~/.ssh/ssh-agent.$(hostname).sock
ssh-add -l 2>/dev/null >/dev/null
# The error of executing ssh-add command denotes a valid agent does not
# exist. 
if [ $? -ge 1 ]; then
  # remove the socket if it exists
  if [ -S "${SSH_AUTH_SOCK}" ]; then
    rm "${SSH_AUTH_SOCK}"
  fi
  ssh-agent -a "${SSH_AUTH_SOCK}" >/dev/null
  # one week life time
  ssh-add -t 1W path-to-private-rsa-file
fi

Insert the following code into the remote zshrc, where the tmux session will be attached.

alias fixssh='eval $(tmux showenv -s SSH_AUTH_SOCK)'

Then ssh into the remote machine. The -A option is necessary.

ssh -A username@hostname

Attach the TMUX session. Check the TMUX evironment variables

# run this command in the shell
tmux showenv -s
# or run this command after prefix CTRL+A or CTRL+B
:show-environment

Run fixssh in the previously existed panes to update the ssh agent. If a new pane is created, it will automatically get the new ssh-agent.

Here's another simple Bash solution, using PROMPT_COMMAND to update the SSH_* vars inside tmux before each prompt is generated. The downside to this solution is that it doesn't take effect in existing shells until a new prompt is generated, because PROMPT_COMMAND is only run before creating new prompts.

Just add this to your ~/.bashrc:

update_tmux_env () {
    # Only run for shells inside a tmux session.
    if [[ -n "$TMUX" ]]; then
        eval $(tmux show-env -s | grep '^SSH_')
    fi
}
export PROMPT_COMMAND=update_tmux_env