Arnasio
Level 1 (6 points)
Mac OS X

Q: MacOS Sierra not properly accessing keychain passphrases for SSH/OpenSSL

Hi,

 

There seems to be a problem in MacOS Sierra regarding the passphrases for SSH keys.

 

I have my public/private keypair enabled for accessing some linux servers, so I can SSH into them without inserting my passwords. After the upgrade to macOS sierra, it seems that the keychain is no longer processing/storing/retrieving the passphrases properly.

 

When first tried to login into one of my remote servers, I was asked for the passphrase, which seemed weird, so I thought that perhaps the passphrases were lost in the upgrade and changed the passphrase manually by invoking "ssh-keygen -f id_rsa -p". Then I proceeded to login again, I was asked for the passphrase and entered it, so I could login into the server, but then, regardless of SSH telling me that it has stored the new passphrase in the keychain, following attempts to login again always ask me for the passphrase.

 

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/xxxxx/.ssh/id_rsa.pub
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug2: input_userauth_pk_ok: fp SHA256:/xxxxxxxxx/GM
debug3: sign_and_send_pubkey: RSA SHA256:/xxxxxxxx/GM
debug3: Search for item with query: {
    acct = "/Users/xxxxx/.ssh/id_rsa.pub";
    agrp = "com.apple.ssh.passphrases";
    class = genp;
    labl = "SSH: /Users/xxxxx/.ssh/id_rsa.pub";
    nleg = 1;
    "r_Data" = 1;
    svce = OpenSSH;
}
debug2: Passphrase not found in the keychain. Enter passphrase for key '/Users/xxxxx/.ssh/id_rsa.pub': debug2: no passphrase given, try next key
debug1: Offering RSA public key: /Users/xxxxx/.ssh/id_rsa
debug3: send_pubkey_test
...
debug2: storing passphrase in keychain debug3: Search for existing item with query: {
    acct = "/Users/xxxxx/.ssh/id_rsa";
    agrp = "com.apple.ssh.passphrases";
    class = genp;
    labl = "SSH: /Users/xxxxx/.ssh/id_rsa";
    nleg = 1;
    "r_Ref" = 1;
    svce = OpenSSH;
}
debug3: Item already exists in the keychain, updating. debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).

 

Please note how it fails to find the passphrase in the keychain (this is the second and following attempts' output), then it says that it stores the passphrase in the keychain, and then it finds it and "updates" it. However, next attempt will not find the passphrase in the keychain, so the process will repeat "ad nauseam".

MacBook Pro (Retina, 13-inch,Early 2015), macOS Sierra

Posted on Sep 15, 2016 1:19 AM

by BobHarris,Solvedanswer
BobHarris BobHarris
Level 6 (19,432 points)
Mac OS X
A:

We are not allowed to discuss macOS beta issues in the public forums.

 

When you signed up, you were given instructions for reporating problems.

 

Please find that information and use it, so that the developers may fix any problems you encounter.

Posted on Sep 15, 2016 4:19 AM

Close
Arnasio

Q: MacOS Sierra not properly accessing keychain passphrases for SSH/OpenSSL

  • All replies
  • Helpful answers

  • by BobHarris,Solvedanswer

    BobHarris BobHarris Sep 15, 2016 4:19 AM in response to Arnasio
    Level 6 (19,432 points)
    Mac OS X
    Sep 15, 2016 4:19 AM in response to Arnasio

    We are not allowed to discuss macOS beta issues in the public forums.

     

    When you signed up, you were given instructions for reporating problems.

     

    Please find that information and use it, so that the developers may fix any problems you encounter.

  • by Arnasio,

    Arnasio Arnasio Sep 15, 2016 4:22 AM in response to BobHarris
    Level 1 (6 points)
    Mac OS X
    Sep 15, 2016 4:22 AM in response to BobHarris

    I will, thanks Bob

  • by EricL38,

    EricL38 EricL38 Sep 21, 2016 9:46 AM in response to Arnasio
    Level 1 (4 points)
    Mac OS X
    Sep 21, 2016 9:46 AM in response to Arnasio

    Now that it's not super-secret mega quiet undercover work...

    Can the rest of the world know what is going on with SSH and Sierra? I just upgraded and I can't SSH into anything anymore... debilitating is the word I am looking for!

  • by BobHarris,

    BobHarris BobHarris Sep 21, 2016 4:32 PM in response to EricL38
    Level 6 (19,432 points)
    Mac OS X
    Sep 21, 2016 4:32 PM in response to EricL38

    So what happens whens you ssh?

     

    Do you get error messages?

     

    Is there anything in diagnostic output from  "ssh -v -v -v destination.address"  that tells you the reason for the failure.

     

    Is it any specific destination system?  I know I had some issues with El Capitan and AIX systems.  In my case it was caused by the AIX system no supporting the same Ciphers versions.

     

    Did you upgrade from El Capitan or from an older OS X version?

     

    Any other information you can tell us would be helpful.

  • by adwb,

    adwb adwb Sep 21, 2016 5:06 PM in response to BobHarris
    Level 1 (4 points)
    Sep 21, 2016 5:06 PM in response to BobHarris

    I think I experienced the same problem just after upgrading. I use iTerm 2 and the first time I went to ssh into a known server, I was prompted to enter my ssh passphrase. I did enter my passphrase again and it seems to have saved it. I didn't experience the loop mentioned by OP. Why did upgrading require me to enter my passphrase again?

  • by Arnasio,

    Arnasio Arnasio Sep 21, 2016 11:50 PM in response to EricL38
    Level 1 (6 points)
    Mac OS X
    Sep 21, 2016 11:50 PM in response to EricL38

    Hi Eric,


    Apparently this is a bug on how MacOS Sierra stores and retrieves the passphrases (and I suspect other elements) in the keychain.

    A temoporary fix is add this to your .bash_profile or .bashrc:

     

    # Fix for ssh passphrases not being stored in keychain:

    ssh-add -A

     

    Hope it helps.

  • by keith-work,

    keith-work keith-work Sep 22, 2016 6:44 AM in response to Arnasio
    Level 1 (4 points)
    Sep 22, 2016 6:44 AM in response to Arnasio

    The ssh-add -A "fix" doesn't work for me.

     

    I have around 200 individual ssh keys stored in Keychain.  When I try to use a key it prompts me for the passphrase and with -vvv I see this message:

         debug2: Passphrase not found in the keychain.

     

    So I manually look up the passphrase from Keychain.app and then subsequent uses of that key do not require a password, and ssh-add -l shows it in the agent on the command line.  Even reboots seem to retain the passphrase in the agent (without having to do ssh-add -A).

     

    Not looking forward to manually entering passphrases for the other 195 keys that I haven't entered yet.  What a pain.

     

    I'm on Sierra, using iTerm2 and terminal both get the same result.

  • by EricL38,

    EricL38 EricL38 Sep 22, 2016 8:05 AM in response to keith-work
    Level 1 (4 points)
    Mac OS X
    Sep 22, 2016 8:05 AM in response to keith-work

    yeah, I think this was something similar for me. I am in a better position though as I had only a handful of keys (though finding the keyphrase for some of those took a while...).

    I did so many things to try to fix it that I can't be sure what actually did it.

    Good luck!