I've ran into a similar situation. Looking at PROTOCOL.agent for SSH
version 2, you can obtain the key blob with SSH2_AGENTC_REQUEST_IDENTITIES,
and remove that identity with SSH2_AGENTC_REMOVE_IDENTITY. This means with
within the SSH agent protocol the key files are not needed to remove the
key.

I have another user case for this functionality: I've written a SSH agent
proxy which permits authorized users access to a common set of identities,
and in some cases a user has access to too many identities to complete
authentication in the permitted number of authentication attempts. In this
case the proxy would not remove the shared identity, but temporarily block
it from that users view.


Dustin Lundquist

No, you only need the public key and you can get that from the agent
itself if you don't happen to have it laying around.

[***@fuyu tmp]$ ssh-keygen -q -t ed25519 -f k1 -N ''
[***@fuyu tmp]$ ssh-keygen -q -t ed25519 -f k2 -N ''
[***@fuyu tmp]$ ssh-add k1 k2
Identity added: k1 (***@fuyu.mindrot.org)
Identity added: k2 (***@fuyu.mindrot.org)
[***@fuyu tmp]$ ssh-add -L
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJmyuVthrSvC6RMly/gJyAd1oFo8NggUUAV0JKvW9V4 ***@fuyu.mindrot.org
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFk1eV8abvdBGAJINxDZ2fK9btsLUlHmPL9DPBDhh/MP ***@fuyu.mindrot.org
[***@fuyu tmp]$ rm k1* k2*
[***@fuyu tmp]$ ssh-add -L | head -1 > k1.pub
[***@fuyu tmp]$ ssh-add -d k1
Identity removed: k1 (***@fuyu.mindrot.org)
[***@fuyu tmp]$ ssh-add -L
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFk1eV8abvdBGAJINxDZ2fK9btsLUlHmPL9DPBDhh/MP ***@fuyu.mindrot.org

-d

Thanks Damien. It's good to know that this is possible and how to do it.

It might be nice if ssh-add did this for you during ssh-add -d. Is there
any reason it couldn't always get the key blob from the agent and send it
back for removal instead of using the filesystem?