You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Arnasio
Arnasio Author
User level: Level 1
33 points

MacOS Sierra not properly accessing keychain passphrases for SSH/OpenSSL

Hi,


There seems to be a problem in MacOS Sierra regarding the passphrases for SSH keys.


I have my public/private keypair enabled for accessing some linux servers, so I can SSH into them without inserting my passwords. After the upgrade to macOS sierra, it seems that the keychain is no longer processing/storing/retrieving the passphrases properly.


When first tried to login into one of my remote servers, I was asked for the passphrase, which seemed weird, so I thought that perhaps the passphrases were lost in the upgrade and changed the passphrase manually by invoking "ssh-keygen -f id_rsa -p". Then I proceeded to login again, I was asked for the passphrase and entered it, so I could login into the server, but then, regardless of SSH telling me that it has stored the new passphrase in the keychain, following attempts to login again always ask me for the passphrase.


debug1: Next authentication method: publickey debug1: Offering RSA public key: /Users/xxxxx/.ssh/id_rsa.pub debug3: send_pubkey_test debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: pkalg ssh-rsa blen 535 debug2: input_userauth_pk_ok: fp SHA256:/xxxxxxxxx/GM debug3: sign_and_send_pubkey: RSA SHA256:/xxxxxxxx/GM debug3: Search for item with query: { acct = "/Users/xxxxx/.ssh/id_rsa.pub"; agrp = "com.apple.ssh.passphrases"; class = genp; labl = "SSH: /Users/xxxxx/.ssh/id_rsa.pub"; nleg = 1; "r_Data" = 1; svce = OpenSSH; } debug2: Passphrase not found in the keychain. Enter passphrase for key '/Users/xxxxx/.ssh/id_rsa.pub': debug2: no passphrase given, try next key debug1: Offering RSA public key: /Users/xxxxx/.ssh/id_rsa debug3: send_pubkey_test ... debug2: storing passphrase in keychain debug3: Search for existing item with query: { acct = "/Users/xxxxx/.ssh/id_rsa"; agrp = "com.apple.ssh.passphrases"; class = genp; labl = "SSH: /Users/xxxxx/.ssh/id_rsa"; nleg = 1; "r_Ref" = 1; svce = OpenSSH; } debug3: Item already exists in the keychain, updating. debug3: send packet: type 50 debug3: receive packet: type 52 debug1: Authentication succeeded (publickey).


Please note how it fails to find the passphrase in the keychain (this is the second and following attempts' output), then it says that it stores the passphrase in the keychain, and then it finds it and "updates" it. However, next attempt will not find the passphrase in the keychain, so the process will repeat "ad nauseam".

MacBook Pro (Retina, 13-inch,Early 2015), macOS Sierra

Posted on Sep 15, 2016 1:19 AM

Reply
19 replies
User profile for user: BobHarris
BobHarris
User level: Level 9
55,073 points

Nov 16, 2017 5:25 PM in response to MathieuDB

MathieuDB wrote:


BobHarris answer is just not helpful.

(Since there is no unhelpful button, I had no other choice than add a comment oO)

At the time the question was asked, Sierra was in beta testing and could not be discussed in these forums. Arnasio (the original poster) was the one that decided to make it answered.


Today, Sierra is not beta, and you are free to discuss it, in this post or any others.


However, since this post is marked answered, I would suggest you start a new Post (see the "Post" button at the top of this page), and then you will be able to make any answer you choose as Answered.

Reply
User profile for user: BobHarris
BobHarris
User level: Level 9
55,073 points

Sep 21, 2016 4:32 PM in response to EricL38

So what happens whens you ssh?


Do you get error messages?


Is there anything in diagnostic output from "ssh -v -v -v destination.address" that tells you the reason for the failure.


Is it any specific destination system? I know I had some issues with El Capitan and AIX systems. In my case it was caused by the AIX system no supporting the same Ciphers versions.


Did you upgrade from El Capitan or from an older OS X version?


Any other information you can tell us would be helpful.

Reply
User profile for user: adwb
adwb
User level: Level 1
4 points

Sep 21, 2016 5:06 PM in response to BobHarris

I think I experienced the same problem just after upgrading. I use iTerm 2 and the first time I went to ssh into a known server, I was prompted to enter my ssh passphrase. I did enter my passphrase again and it seems to have saved it. I didn't experience the loop mentioned by OP. Why did upgrading require me to enter my passphrase again?

Reply
User profile for user: keith-work
keith-work
User level: Level 1
4 points

Sep 22, 2016 6:44 AM in response to Arnasio

The ssh-add -A "fix" doesn't work for me.


I have around 200 individual ssh keys stored in Keychain. When I try to use a key it prompts me for the passphrase and with -vvv I see this message:

debug2: Passphrase not found in the keychain.


So I manually look up the passphrase from Keychain.app and then subsequent uses of that key do not require a password, and ssh-add -l shows it in the agent on the command line. Even reboots seem to retain the passphrase in the agent (without having to do ssh-add -A).


Not looking forward to manually entering passphrases for the other 195 keys that I haven't entered yet. What a pain.


I'm on Sierra, using iTerm2 and terminal both get the same result.

Reply
User profile for user: BobHarris
BobHarris
User level: Level 9
55,073 points

Sep 30, 2016 6:08 AM in response to Rinamaunawiya

Rinamaunawiya wrote:


help me try his weekly ipad, because something happened to my computer, and please help restore all memory into the ios, thanks

Maybe start a new "Post" I the forum associated with your device. If that is an iPad, try

<Using iPad>

Then click on the "Post" button at the top of the iPad forum web page.

Try to describe your problem as best you can.


If it is for a Macintosh computer, then try

<Mac OS & System Software>

And pick the operating system forum the matches the version of OS X you are using.

Then click on the "Post" button at the top of the operating system forum you choose.


If your question is really about problems using the 'ssh' command from a macOS Sierra operating system, then please try to better describe your 'ssh' on Sierra question.

Reply
User profile for user: Obliging
Obliging
User level: Level 1
9 points

Oct 7, 2016 1:53 PM in response to Arnasio

I've already managed to fix this problem my self


all you need to do is the following:


open "Keychain Access"

then from "login" keychains locate "SSH: /Users/yourusername/.ssh/id_rsa

then right click and copy password to clipboard, unfortunately i found the password to be 'roott' and that is not a password that i ever used, seems like the new upgrade shipped with this passphrase


but then i used that passphrase to get my password-less ssh hosts to work


if you want to fix it for later use, just edit the password to match your Mac session password


hope it helps

Reply

MacOS Sierra not properly accessing keychain passphrases for SSH/OpenSSL

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up