738

It used to remember the passphrase, but now it's asking it to me each time.

I've read that I need to regenerate the public key with this command, which I did:

ssh-keygen -y -f id_rsa > id_rsa.pub

but it didn't fix anything.

How can I make macOS remember my passphrase again?

Giacomo1968
  • 53,069
  • 19
  • 162
  • 212
erwan
  • 7,501
  • 3
  • 9
  • 6
  • I’m experiencing related behavior: Earlier, the key ring dialog would pop up to ask for the password, now I just get the regular SSH console prompt. Some helper program registration is probably gone. – Daniel B Sep 22 '16 at 11:06
  • 1
    It's been years since I generated my id_rsa and I've never used a passphrase and use this to ssh into many servers. Do I really have a passphrase on it, or is it just that Sierra thinks I should? Note that $ cat ~/.ssh/id_rsa | head -2 -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED – Joe Murray Oct 28 '16 at 14:30
  • duplicate of https://apple.stackexchange.com/q/254468/62697 – Cœur Jan 30 '17 at 06:05
  • If you're using Pretzo and none of these answers solved your problem: Make sure you don't have the `ssh` module enabled in `zpretzorc`. It's unnecessary on macOS anyway, and if enabled, it will prompt you for your passphrase even after you've added `UseKeychain`. – Jimothy Aug 01 '17 at 17:28
  • 1
    try doing `ssh -v ...` to see if it has any useful debug info... – rogerdpack Jun 27 '18 at 14:11

14 Answers14

1413

In the latest version of macOS (10.12.2), this is easy to fix. Just edit your ~/.ssh/config and enable the UseKeychain option:

Host *
    UseKeychain yes

There is no need to change anything else. Now everything works the way it used to work before the latest updates. You do not need to add keys to ssh-agent.

Edit: You may still need to enter your passphrase once. If you don't know it, follow these instructions to reveal it.

Community
  • 1
Jukka Suomela
  • 14,702
  • 2
  • 18
  • 13
  • Can't you put this at the end of the config, unindented, instead of using `Host *`? – mblakele Dec 27 '16 at 18:32
  • This definitely works for 10.2.2 – Alvin Nguyen Dec 28 '16 at 00:50
  • This works for Mac OS Sierra too! – Chiko Jan 03 '17 at 05:22
  • 106
    Note, the `Host *` block should (almost) always be placed at the bottom of your `~/.ssh/config` file. When `ssh` is looking for settings it uses the *first* value it finds. Thus, by putting putting the wildcard block at the end, it acts as a set of defaults; you can override settings for specific hosts by specifying them earlier in the file. – Molomby Jan 09 '17 at 00:10
  • 2
    This sadly does not work when you use the same `~/.ssh/config` for a non-macOS system, e.g. Ubuntu in a virtual machine. I get: `Bad configuration option: UseKeychain` when trying to `git fetch` in my Ubuntu VM. – Henrik N Jan 09 '17 at 07:49
  • 3
    I'm using Mac OSX Sierra (10.12.2) and it didn't work for me. – zyc Jan 11 '17 at 16:38
  • I'm using macOS Sierra (10.12.12) and it worked for me! – njtman Jan 13 '17 at 13:25
  • 2
    worked but not when forwarding machine keys via capistrano to fetch from github on the remote, in that case I had to do the ssh-add -K dance – John Smith Jan 13 '17 at 15:36
  • 8
    This worked for me as well but I did have to enter the passphrase correctly once. There is [another answer](http://superuser.com/a/1140285/236843) that describes how you can view the password if you don't remember it. – FGreg Jan 19 '17 at 17:45
  • 1
    Doesn't seem to work for 10.2.3 – Dan Jan 31 '17 at 15:16
  • Finally something that really fixed this annoyance. I'm running on 10.12.3 and it's perfect now. – TCB13 Feb 09 '17 at 19:43
  • Thank you for this. I need this to work across multiple users on my machine (10.12.3), so I instead added it under the `Host *` section in /etc/ssh/ssh_config, and that worked. – Ivan X Feb 10 '17 at 14:58
  • 37
    If the config file doesn't exist, creating one and adding this will work as well. – womplefrog Feb 22 '17 at 14:38
  • 1
    @wynshaft yes the file did not exist for me and I created it and dropped those few lines in. works on my machine. – Antwan W. A-Dubb Feb 23 '17 at 20:47
  • Is this setting specific only to the ssh version of macOS? Will another Unix (like Linux or FreeBSD) complain or not recognize it? – thiagowfx Feb 28 '17 at 22:47
  • 13
    You do not need the `Host *` heading. Just append the single line `UseKeychain yes` at the top of your `.ssh/config` if you wish for this to apply to all hosts. – sj26 Mar 22 '17 at 01:07
  • 2
    I followed this, then it still asked for password, didn't remember my password, looked it up from Keychain Access app, typed it in, it didn't accept it. Then I went and used `ssh-add -K` instead and typed password there, it accepted and it solved my problem! –  May 02 '17 at 07:29
  • Brilliant. This worked perfectly. Such a simple solution, and it saved me messing around with regenerating a bunch of different keys. As you mentioned, I was prompted for my passphrase one more time, and after that it's no longer asking for it. Bingo. – inspirednz May 30 '17 at 06:28
  • 2
    @HenrikN Add `IgnoreUnknown UseKeychain` to the `Host *` config block, and you can share your ssh config. See https://superuser.com/a/1178904/138530 and https://developer.apple.com/library/content/technotes/tn2449/_index.html – Jimothy Aug 01 '17 at 17:33
  • Added the file with the above content. Did not work. On OS X 10.12.6. – Fellow Stranger Feb 20 '18 at 13:40
  • Note that you don't actually need the `Host *` part. Just add it to your global config. – bluesmoon Apr 17 '18 at 04:03
  • Don't forget to add the public key to your host: Linux / Mac: cat ~/.ssh/id_rsa.pub | ssh username@your.server.com "mkdir ~/.ssh; cat >> ~/.ssh/authorized_keys" – ppalmeida Aug 17 '18 at 13:24
  • This didn't work for me – Amrit Kahlon Feb 02 '19 at 01:11
  • Worked for me on catalina. – 4F2E4A2E Oct 28 '19 at 08:29
  • This did work for me on Catalina the first time, but when I rebooted it stopped working. In addition to adding `UserKeychan yes` I had to add `AddKeysToAgent yes` as described here: https://apple.stackexchange.com/a/264974/333944 – mchurichi Jul 28 '20 at 13:02
  • 1
    Note that the current instructions at https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent say to add `Host *.github.com`, however, this resulted in password prompts and errors in SmartGit and RStudio for me until I changed the config line to `Host *` – Brian D Dec 14 '22 at 21:13
221

I had the same problem. MacOS Sierra keychain keeps asking for the passphrase. Your id_rsa should be encrypted with a passphrase for security. Then try adding it to the keychain ssh-add -K ~/.ssh/id_rsa

If your key is in another folder than ~/.ssh then substitute with the correct folder.

Keychain now knows your ssh key and, hopefully, all works now (mine did)

techraf
  • 4,852
  • 11
  • 24
  • 40
Lars G.
  • 2,219
  • 1
  • 7
  • 2
  • 29
    This works but seems not to persist when I restart my computer. Anyone else having the same issue? – joshua.paling Sep 26 '16 at 10:39
  • 1
    Yup, same issue here. @joshua.paling – kingkool68 Sep 26 '16 at 13:56
  • 19
    @joshua.paling, kingkool68 - Apple has removed the ability to remember your SSH keys across reboot in order to conform to mainstream OpenSSH behavior. See this question for other ways to achieve the same functionality: http://apple.stackexchange.com/questions/254468/macos-sierra-doesn-t-seem-to-remember-ssh-keys-between-reboots – Evan Pon Oct 12 '16 at 16:53
  • @EvanPon But that won’t work with encrypted keys, will it? – Konrad Rudolph Oct 26 '16 at 16:31
  • 3
    @KonradRudolph it works for me. Calling `ssh-add` with the `-A` option will look in the MacOS keychain for any passwords for the identities in question. I believe it will prompt you if the passwords are not in the keychain. – Evan Pon Oct 27 '16 at 00:26
  • This worked for me - but the flag was lowercase `-k` not uppercase `-K`. `-k Load only keys and not certificates.` – Kelly J Andrews Nov 07 '16 at 21:46
  • @EvanPon Maybe we’re talking about different things. I was expecting this to persist the setting across reboots. None of the ways posted in your link does (or did, at the time of writing; in the meantime there’s now a way). Adding things to `.bash_profile` works in limited ways, but still requires the user to enter their passphrase at least once. – Konrad Rudolph Feb 01 '17 at 16:07
92

This fixed my similar issue:

/usr/bin/ssh-add -K

This stores passphrases in your keychain.

Update (thanks @EasyCo): This works but does not persist between restarts. @jukka-suomela's solution on this page does work across restarts. You can find that answer here:

https://superuser.com/a/1158050/234685

Raoul
  • 1,041
  • 8
  • 9
45

I only had to enter the correct passphrase once and it started working. The problem was that I didn't remember my original SSH passphrase, but I recovered it by following these steps from Github:

  • In Finder, search for the Keychain Access app.
  • In Keychain Access, search for SSH.
  • Double click on the entry for your SSH key to open a new dialog box.
  • Keychain access dialogIn the lower-left corner, select Show password.
  • You'll be prompted for your administrative password. Type it into the "Keychain Access" dialog box.
  • Your password will be revealed.
Olli Jaakkola
  • 551
  • 3
  • 2
21

One fix is to add the following to your ~/.ssh/config file:

Host *
   AddKeysToAgent yes
   IdentityFile ~/.ssh/id_rsa
   UseKeychain yes

Taken from: https://www.reddit.com/r/osx/comments/52zn5r/difficulties_with_sshagent_in_macos_sierra/ Also see: https://apple.stackexchange.com/a/264974/3810

Community
  • 1
ThomasW
  • 383
  • 2
  • 7
  • So far, in none of the answers, has anyone mentioned the `Bad configuration option: usekeychain` error I get with UseKeychain (however it's capitalised). But I *was* able to get it working by removing just that line and leaving AddKeysToAgent and IdentityFile (you still have to enter the passphrase the first time). This is with macOS Sierra 10.12.6. – William Turrell Aug 29 '17 at 12:47
  • this works fine when I am in the terminal and use the ssh command, but other apps, like WebStorm that use their own terminal, don't take thi configuration until I first use an ssh command in the regular terminal. then it works everywhere, any suggestions? – santiago arizti Apr 17 '18 at 16:53
  • @WilliamTurrell If this still happens, type `which ssh` to ensure that you are using `/usr/bin/ssh` and not a version from Fink or MacPorts, which would be under something like `/usr/local/bin/ssh` or `/opt/local/bin/ssh` – Stefan Lasiewski May 17 '18 at 21:25
19

None of the above solutions worked after installing Sierra over El Capitan on a new MacBook Pro. Sierra by design does not save SSH keys in the keychain.

Two solutions worked for me. One is to add the command ssh-add -A &> /dev/null to ~/.bash_profile. Every time you open the terminal, this command will be executed (the &> /dev/null part sends the output of the command the file /dev/null).

A more complicated but slightly slicker solution is to create a plist with the command that is executed every time the OS is booted as suggested in Saving SSH keys in macOS Sierra keychain. This involves using Xcode to create the file.

Giacomo1968
  • 53,069
  • 19
  • 162
  • 212
Hank Snow
  • 291
  • 1
  • 2
9

I tried multiple answers here, but was still having issues with remote keys passing (such as when using capistrano). To solve it, I read the technote from apple and made this my config file. No more asking for my password!

https://developer.apple.com/library/content/technotes/tn2449/_index.html

Host *  
   IdentityFile ~/.ssh/id_rsa  
   IgnoreUnknown UseKeychain  
   UseKeychain yes  
   AddKeysToAgent yes
DavidPostill
  • 153,128
  • 77
  • 353
  • 394
Geek Goddess
  • 191
  • 1
  • 1
8

This morning, I had the same problem as you after updating to Sierra. In my case, the id_rsa file was encrypted and after decrypting it was working like a charm.

  1. Verify if your id_rsa file is encrypted with the following command: cat ~/.ssh/id_rsa | head -2
  2. If the second line says Proc-Type: 4,ENCRYPTED, it's encrypted and you could try decrypting it
  3. Important: make a backup of your original id_rsa file! Use the command cp ~/.ssh/id_rsa ~/.ssh/id_rsa.bak
  4. Decrypt your private key with openssl rsa -in ~/.ssh/id_rsa -out ~/.ssh/id_rsa.decrypted
  5. Remove the original key (rm ~/.ssh/id_rsa) and replace it with the decrypted one: mv ~/.ssh/id_rsa.decrypted ~/.ssh/id_rsa

After these steps, you should be able to use ssh again.

Martijn Pieters
  • 105
  • 1
  • 4
    While that is a workaround of sorts, I don’t think it really *solves* the OP’s problem. – Daniel B Sep 22 '16 at 11:05
  • This works for me. @DanielB, what is the problem with doing this? – Dag Høidahl Sep 26 '16 at 12:55
  • 7
    @DagHøidahl The key will no longer be encrypted. It can be stolen with regular user rights, so encryption is a strong SHOULD. – Daniel B Sep 26 '16 at 13:50
  • 6
    This removes the password from the key, which is why it works around the OP's problem. But I recommend against this. The password is all that stops people from using your key when it's stolen. Since your key will probably give access to multiple systems you don't want to weaken it. – Martijn Heemels Oct 01 '16 at 18:41
8

I started suffering from the same problem using MacOS Monterrey. I just noticed that when I tried to add my key using:

 /usr/bin/ssh-add -K /path/to/my-key

I saw this:

WARNING: The -K and -A flags are deprecated and have been replaced
         by the --apple-use-keychain and --apple-load-keychain
         flags, respectively.  To suppress this warning, set the
         environment variable APPLE_SSH_ADD_BEHAVIOR as described in
         the ssh-add(1) manual page.

So I used:

/usr/bin/ssh-add --apple-use-keychain /path/to/my-key

Added this answer if someone else is suffering from this using MacOS Monterrey.

camikiller
  • 181
  • 1
  • 3
  • 1
    Make sure you add the full key path , usually its at `.ssh % /usr/bin/ssh-add --apple-use-keychain /Users/MYUSERNAME/.ssh/id_rsa` – user1034912 Aug 01 '22 at 03:36
6

I had this issue as well when attempting to deploy some code using Capistrano. Very frustrating. Here are two methods I know of to deal with this issue.

Method 1: Add all known keys to the SSH agent.

So one solution I found is to run ssh-add with the -A option—which adds all known identities to the SSH agent using any passphrases stored in your keychain—like this:

ssh-add -A

Now this works but it won’t persist across reboots. So if you want to never worry about this again, just open up your user’s ~/.bash_profile file like this:

nano ~/.bash_profile

And add this line to the bottom:

ssh-add -A 2>/dev/null;

Now when you open a new Terminal window, all should be good!

Method 2: Add only SSH keys that are in the keychain to the agent.

So while the ssh-add -A option should work for most basic cases, I ran into an issue recently where I had 6-7 Vagrant boxes (which uses SSH keys/identities for access) setup on a machine on top of the more common id_rsa.pub in place.

Long story short, I ended up being locked out of a remote server due to too many failed tries based on SSH keys/identities since the server access was based on a password and SSH keys/identities are SSH keys/identities. So the SSH agent tried all of my SSH keys, failed and I couldn’t even get to the password prompt.

The problem is that ssh-add -A will just arbitrarily add every single SSH key/identity you have to the agent even if it’s not necessary to do so; such as in the case of Vagrant boxes.

My solution after much testing was as follows.

First, if you have more SSH keys/identities added to your agent than you need—as shown with ssh-add -l then purge them all from the agent like so:

ssh-add -D

With that done, then start the SSH agent as a background process like so:

eval "$(ssh-agent -s)"

Now, it gets weird and I am not too sure why. In some cases you can specifically add the ~/.ssh/id_rsa.pub key/identity to the agent like so:

ssh-add ~/.ssh/id_rsa.pub

Type in your passphrase, hit Return and you should be good to go.

But in other cases simply running this is enough to get the key/identity added:

ssh-add -K

If that’s all worked, type in ssh-add -l and you should see one lone SSH key/identity listed.

All good? Now open up your .bash_profile:

nano ~/.bash_profile

And add this line to the bottom; comment or remove the -A version if you have that in place:

ssh-add -K 2>/dev/null;

That will allow the SSH key/identity to be reloaded to the SSH agent on each startup/reboot.

UPDATE: Apple has now added a UseKeychain option to the open SSH config options and considers ssh-add -A a solution as well.

As of macOS Sierra 10.12.2, Apple (I assume) has added a UseKeychain config option for SSH configs. Checking the man page (via man ssh_config) shows the following info:

UseKeychain
        On macOS, specifies whether the system should search for
        passphrases in the user's keychain when attempting to use a par-
        ticular key. When the passphrase is provided by the user, this
        option also specifies whether the passphrase should be stored
        into the keychain once it has been verified to be correct.  The
        argument must be ``yes'' or ``no''.  The default is ``no''.

Which boils down to Apple seeing the solution as either adding ssh-add -A to your .bash_profile as explained in this Open Radar ticket or adding UseKeychain as one of the options in a per user ~/.ssh/config.

Giacomo1968
  • 53,069
  • 19
  • 162
  • 212
4

Jukka Suomela's answer is correct, but if you are using openssh installed from homebrew, then you also need to uninstall it with:

brew remove openssh

...to switch back to system default openssh, because homebrew's one doesn't support UseKeychain ssh config entry.

Community
  • 1
Greg Dubicki
  • 335
  • 3
  • 10
3

You need a .plist file added to ~/Library/LaunchAgents/ to run ssh-add -A on every startup of macOS.

There's a single command which does this (from SSH-keys-in-macOS-Sierra-keychain):

curl -o ~/Library/LaunchAgents/ssh.add.a.plist https://raw.githubusercontent.com/jirsbek/SSH-keys-in-macOS-Sierra-keychain/master/ssh.add.a.plist
Alec Rust
  • 139
  • 4
2

I tried all solutions suggested here, but I don't have keychain set up in my Mac.

Adding to following line at top .ssh/config file on both the local and the remote machine worked for me.

PubkeyAcceptedKeyTypes=+ssh-dss
Giacomo1968
  • 53,069
  • 19
  • 162
  • 212
Roei Bar Aviv
  • 21
  • 1
-1

In my case, ssh asked for passprase, because i tried to connect without specifying a username:

ssh hostname.com

Remote host considers it as connecting under root. Fixed using my remote host username:

ssh username@hostname.com
coolsv
  • 99
  • 1