Hi. I'm having a problem with may ssh key. After my update to macOS Sierra, my key is never permanently stored in ssh-add every reboot. 😟 In OS X Yosemite, all I did is use the ssh-add -K <path to private key> and my ssh key is stored permanently. Is it a Sierra bug or should I do something in KeyChain Access to help me store it permanently? Thanks!
MacBook Pro with Retina display, iOS 10, macOS Sierra v10.12
I found a reasonable solution in this forum: http://apple.stackexchange.com/questions/253779/macos-10-12-sierra-will-not-forg et-my-ssh-keyfile-passphrase
Using the info in the link above, I added the following lines to my ~/.ssh/config file and Sierra now uses ssh-agent to store the keys (rather than the keychain), and they can be listed, added or removed with ssh-add -l , shh-add , or ssh-add -D
UseKeyChain no
AddKeysToAgent yes
(the first line may not be necessary, may be overridden by the second...)
After doing so, the first "ssh-add -D" removed the entry from MacOS's keychain, and now running ssh or any program that invokes ssh prompts for the passphrase and stores the key via ssh-agent (if not already there), as expected. The only thing that no longer seems to work for me as in older versions of OS X is setting ssh-agent defaults such as a timeout in ~/Library/LaunchAgents/org.openbsd.ssh-agent.plist . It's not clear to me where the ssh-agent defaults can now be set.
Also, from what I have read while chasing down a solution to this myself, it appears that OS X's previous pop-up dialog box which added the key to ssh-agent seems to have been removed; ssh prompts for the passphrase directly in the terminal window now (at least it does for me).
I too have this issue. While I am trying to find an answer, I have created a ~/.ssh/config file that helps the situation a little by helping the system find all of my various key files. It contains something like:
IdentityFile ~/.ssh/id-rsa
IdentityFile ~/.ssh/otherserver/id-rsa
IdentityFile ~/.ssh/server2/id-rsa
I do have to put in the password once for the appropriate key file when I start an ssh session. Like I said above, it isn't a a real solution. The hunt continues...
I'm having the exact opposite issue - my private keys' passphrases appear to have been added to my keychain without my knowledge or permission when I upgraded to Sierra, and I need to know how to remove it. "ssh-add -K -D" is not working, and neither is "ssh-add -K -d /Users/xxx/.ssh/id_rsa".
Hello yvannegabriel,
Sierra has changed how ssh-agent works. Manually using ssh-agent was never the right approach on OS X and it sounds like Sierra enforces that.
What you have to do is avoid using ssh-add. Restart. Then run ssh. It should ask for you private key passphrase. Provide it and check the box to store it in the keychain. You're done.
If you don't like how Apple does it, I'm afraid you w have to install your own ssh in /usr/local. Do not attempt to replace the system ssh.
Small edit for Sierra apparently. There is no more pop-up keychain dialog and checkbox to save your private key passphrase. It now works more like traditional ssh-agent. You enter your private key on the command line. Then magic happens behind the scenes. I found a few entries in the keychain that corresponded in time to my private key, but deleting them and restarting had no effect.
If you don't want your private key passphrase saved forever in some mysterious, and completely unknown, location, you should probably try into install your own ssh. I have no guarantee that would work however.
Run ssh how?
SSH key not persistent every reboot after macOS Sierra update
