remove ssh keys means deleting SSH identity files, agent-stored keys, and host entries from known_hosts using OpenSSH utilities.
$ ssh-add -D # Remove all keys from the current SSH agentSyntax
The operation splits into three contexts, each with its own command:
# Remove all keys from ssh-agent
$ ssh-add -D
# Remove a specific key from ssh-agent
$ ssh-add -d /path/to/key
# Remove a host key from known_hosts (hostname or IP)
$ ssh-keygen -R hostname_or_ip
# Delete private/public key files from ~/.ssh
$ rm -f ~/.ssh/id_rsa ~/.ssh/id_rsa.pub
# Remove a public key from a remote server's authorized_keys
# (SSH into server, then edit file)
$ ssh user@server
$ nano ~/.ssh/authorized_keys # or use sed
Options and Flags
| Tool | Flag | Type | Default | Description |
|---|---|---|---|---|
ssh-add |
-D |
Flag | N/A | Delete all keys from the current ssh-agent. |
ssh-add |
-d |
Flag | N/A | Delete the specified key from ssh-agent (optionally with path). |
ssh-add |
-l |
Flag | N/A | List currently loaded keys (useful for verification before removal). |
ssh-keygen |
-R |
Flag | N/A | Remove all keys belonging to the specified host from known_hosts. |
ssh-keygen |
-H |
Flag | N/A | Hash known_hosts entries (used with -R to hash, not remove). |
ssh-keygen |
-f |
Option | ~/.ssh/known_hosts | Specify the known_hosts file to use with -R. |
rm |
-f |
Flag | N/A | Force removal of key files without prompting. |
rm |
-rf |
Flag | N/A | Recursively and forcefully remove a directory (e.g., entire ~/.ssh). |
Usage Examples
1. Remove all keys from the current ssh-agent
$ eval `ssh-agent -s` # ensure agent is running
Agent pid 12345
$ ssh-add -D
All identities removed.Clears all loaded keys from the agent. Use after key rotation or if you suspect a compromised session.
2. Remove an old SSH key pair from the local ~/.ssh directory
$ cd ~/.ssh
$ rm -f id_rsa id_rsa.pub old_key
$ sudo service ssh restartDeletes the private and public key files. The service ssh restart is optional; it restarts the local SSH daemon to apply config changes.
3. Remove a compromised host key from known_hosts
$ ssh-keygen -R 192.168.23.2
# Host 192.168.23.2 found: line 109 type RSA
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old
Purges the host key for the given IP from known_hosts. The next connection prompts to accept the new key (mitigates man-in-the-middle attacks).
4. Remove a specific public key from a remote server
$ ssh user@server
user@server:~$ cat ~/.ssh/authorized_keys
user@server:~$ sed -i '/oldkey/ d' .ssh/authorized_keys
user@server:~$ exitDeletes the line matching the old key from the server’s authorized_keys. Verify by attempting SSH with the removed key.
Troubleshooting & Common Errors
| Error Message | Root Cause | Resolution |
|---|---|---|
no such identity: /path/to/key: No such file or directory |
The key file does not exist. | Check the path; use ls ~/.ssh to list available keys. |
Could not open a connection to your authentication agent |
ssh-agent is not running or not accessible. |
Run eval $(ssh-agent) to start and export environment variables. |
ssh-keygen: host key not found in known_hosts |
The hostname/IP is not present or is hashed. | Use ssh-keygen -F hostname to check; if hashed, use -R with the exact host as originally stored. |
rm: cannot remove 'id_rsa': Permission denied |
Key file is write-protected or not owned by user. | Use chmod u+w ~/.ssh/id_rsa then retry removal. |
Performance Considerations
Removing SSH keys is disk-bound. Batch removal of many hosts from known_hosts can be parallelized:
# Remove multiple hosts in parallel (batch size = 4)
grep -oP '^|?d+.d+.d+.d+' ~/.ssh/known_hosts | sort -u |
xargs -P4 -I{} ssh-keygen -R {} -f ~/.ssh/known_hosts
# Clear all identities from the SSH agent in one call
ssh-add -D
Ensure the agent is running (eval `ssh-agent -s`) only if agent-managed keys need removal. For local file removal, rm with -rf deletes key pairs instantly.
Verified References
| Command | Source | Notes |
|---|---|---|
ssh-keygen -R |
man7.org | Removes host keys from known_hosts. Uses -f to specify an alternative file. |
ssh-add -D |
StackOverflow (25464930) | Deletes all identities from the agent. |
ssh-add -d |
StackOverflow (25464930) | Deletes a specific identity from the agent. |
rm |
linux.die.net | Removes files; use -f to force, -rf for directories. |
ssh-keygen -F |
man7.org | Finds a host in known_hosts; used to verify before removal. |
Frequently Asked Questions
What is the difference between `ssh-keygen -R hostname` and manually deleting the host line from `~/.ssh/known_hosts`?
Answer: `ssh-keygen -R` handles hashed host entries; manual editing may miss or corrupt them. Always use the command.
When should I use `ssh-add -d` vs `ssh-add -D`?
Answer: Use `ssh-add -d [file]` to remove a specific key; use `ssh-add -D` to clear all keys from the agent at once.
`ssh-add -d` requires the exact path to the private key. `ssh-add -D` is faster when rotating multiple identities.
How do I fix “Host key verification failed” after a server key change?
Answer: Run `ssh-keygen -R hostname` and `ssh-keygen -R IP` to remove old entries, then reconnect to accept the new key.
ssh-keygen -R example.com
ssh-keygen -R 192.168.1.10Does `ssh-keygen -R` work on AWS EC2 instances with Linux, macOS, and Windows?
Answer: Yes, on Linux and macOS natively; on Windows, use OpenSSH Client in PowerShell or WSL. The cloud platform does not affect local known_hosts management.
What is the fastest way to remove all SSH keys from your SSH agent and known_hosts file?
Answer: Clear the agent with `ssh-add -D` and truncate known_hosts with `:> ~/.ssh/known_hosts`.
ssh-add -D
:> ~/.ssh/known_hostsThis removes every identity and host key. To preserve specific entries, use `ssh-keygen -R` per host.
Command Line Expert & Software Engineer
Welcome! I’m Thomas Heinrich, a software engineer and system administrator with a deep passion for the Command Line Interface (CLI). With years of experience navigating the terminal, building backend architectures, and automating server deployments, I created this space to share practical, real-world terminal knowledge.
Whether you are a beginner taking your first steps in a Linux environment or a seasoned DevOps engineer looking to optimize your deployment scripts, you will find actionable solutions here. My goal is to help you ditch the mouse, speed up your workflow, and harness the full power of the command line.