How is agent forwarding different in 2.5 than previous versions?

Key management works differently in Prompt 2.5 than in previous versions. Key passphrases are now associated with the keys themselves and totally independent of any server. This means that a key passphrase now only has to be entered in one place (Settings -> Keys) instead of for each server the key will be used with. This also means that agent forwarding now behaves more like it does in OpenSSH. Since we have no idea which key you’ll want to use with which remote servers, the agent will attempt to use each of the keys in the agent to authenticate. A key therefore cannot be added to the agent if it is encrypted.

By design, this behavior closely mirrors that of OpenSSH. If you run ssh-add and attempt to add an encrypted key, you will immediately be prompted for a passphrase. If you do not provide the passphrase for the key, it will not be added to the agent and will not be forwarded on to other servers. This behavior is described in the man pages:

“If any file requires a passphrase, ssh-add asks for the passphrase from the user. The passphrase is read from the user’s tty. ssh-add retries the last passphrase if multiple identity files are given.”

We no longer sync key passphrases with Panic Sync. If a passphrase is entered for a key, it is only stored in the iOS keychain and never leaves the device except in an encrypted iCloud backup.