How to remove SSH keys from ssh-agent

A crowded ssh-agent can make OpenSSH offer the wrong private key before the intended one, and some servers disconnect after too many failed public-key attempts. Removing stale identities keeps the current login session focused on the key that should still be usable.

The ssh-agent process stores decrypted private keys in memory and exposes them through SSH_AUTH_SOCK. The ssh-add command lists fingerprints with -l, removes a selected identity with -d, and clears the agent with -D while leaving the private key files under ~/.ssh on disk.

Deletion affects only the running agent that the current shell can reach. Another desktop key manager, terminal multiplexer pane, or shell with a different agent socket may still hold its own identities, so check the key list in the same session that will make the next SSH or Git connection.

Related: How to add an SSH key to ssh-agent
Related: How to set per-host SSH identity files in SSH config
Related: How to enable SSH agent forwarding

Steps to remove SSH keys from ssh-agent:

  1. List identities currently loaded in the reachable ssh-agent. 
    $ ssh-add -l
256 SHA256:pYDNXHQKpBPjsotQcjrpQM8nzOTDmxksXGjSI+Jr+gI user@example.com (ED25519)
256 SHA256:XeWutQB7G0tim0WwYWKiGYAGrVZ3ppvAQGoM9rfweVw git@example.com (ED25519)

    If this command prints Could not open a connection to your authentication agent., the current shell is not connected to an agent. Switch to the session that owns SSH_AUTH_SOCK before removing keys.

    Tool: SSH Key Fingerprint Checker

  2. Remove the selected identity from the agent. 
    $ ssh-add -d ~/.ssh/id_ed25519
Identity removed: /home/user/.ssh/id_ed25519 ED25519 (user@example.com)

    Replace ~/.ssh/id_ed25519 with the matching public key path, such as ~/.ssh/id_ed25519.pub, or with the private key path when its .pub file is beside it. The key file remains on disk; only the loaded agent identity is deleted.

  3. List the agent identities again to confirm the selected key is gone. 
    $ ssh-add -l
256 SHA256:XeWutQB7G0tim0WwYWKiGYAGrVZ3ppvAQGoM9rfweVw git@example.com (ED25519)
  4. Clear every identity only when the agent should be empty. 
    $ ssh-add -D
All identities removed.

    ssh-add -D removes all identities from the reachable agent. Later SSH and Git operations that depend on those cached keys may prompt again or fail until the needed key is added back.

  5. Verify that the agent is empty after a full clear. 
    $ ssh-add -l
The agent has no identities.

    If a desktop key manager reloads identities automatically, repeat the list check in the same terminal before testing the next connection.