804

It seems that ssh-add -K ~/.ssh/id_rsa will load your key but will ask for the password each time you reboot.

I am looking for a solution that would not require me to re-enter the key password between logins.

sorin
  • 28,475
  • 65
  • 162
  • 235
  • 1
    Can you say a little more about when the password prompt comes up for you? I ask because I have an ssh-key for a remote server, which I assure you is not the same as my Mac login password or anything, and I haven't had to enter the password for the ssh-key for *years*. I can just open up a terminal, type "ssh ", and I'm there. I think I first set this key up under OSX 10.5. id_dsa, but I don't think that should matter. – Michael H. Apr 13 '12 at 16:39
  • My `id_rsa` key has a password on it. – sorin Apr 13 '12 at 16:46
  • I also have the problem that I solved this so long ago that I can't remember exactly what I did. But I _think_ the idea is to _not_ run `ssh-add`, but just run `ssh` directly. You should get a window popping up that will as the pass phrase for the key, and with a checkbox to let you store it in your keychain. – Harald Hanche-Olsen Apr 13 '12 at 18:19
  • 1
    @Sorin - so does mine! I had to enter it once, long ago, and the Mac has saved it for me ever since. Hopefully Harald's advice will help. – Michael H. Apr 13 '12 at 18:35
  • Do you mean the Keychain password (i.e. your login password) or the key's passphrase? If it's the latter, re your passphrases definitely stored in Keychain? You can check this by opening Keychain Access and looking for it in the login keychain. – Mathew Hall Apr 20 '12 at 11:41
  • **ssh - authorized_keys HOWTO** http://www.eng.cam.ac.uk/help/jpmg/ssh/authorized_keys_howto.html – E1Suave May 23 '12 at 19:01
  • I do these to solve it, ref: https://unix.stackexchange.com/a/560404/388990 Hope it works, thanks – Toni Firnandes Jan 05 '20 at 03:33
  • I do these to solve it, ref: https://unix.stackexchange.com/a/560404/388990 Hope it works, thanks – Toni Firnandes Jan 05 '20 at 03:35
  • @ToniFirnandes Those instructions you point to are outdated. One should use the accepted answer below. – oligofren Feb 04 '22 at 05:55

7 Answers7

1192

It is not possible to add private key to Keychain, but you can store passphrase for private key in Keychain. On OSX, the native ssh-add command has a special argument to save the private key's passphrase in the OSX Keychain, which means that your normal login will unlock it for use with ssh. On OSX Sierra and later, you also need to configure SSH to always use the Keychain (see Step 2 below).

Alternatively you can use a key without a passphrase, but if you prefer the security that's certainly acceptable with this workflow.

Step 1 - Store passphrase in the Keychain

In the latest version of MacOS (12.0 Monterey), just do this once:

ssh-add --apple-use-keychain ~/.ssh/[your-private-key]

Or in versions of MacOS older than 12.0 Monterey, use:

ssh-add -K ~/.ssh/[your-private-key]

Enter your key passphrase, and you won't be asked for it again.

(If this fails, make sure you are using Apple's version of /usr/bin/ssh-add and not something installed with brew etc.; check with which ssh-add)

Step 2 - Configure SSH-agent to always use the Keychain

(Note: In versions of OSX prior to Sierra, this is not necessary)

It seems that OSX Sierra removed the convenient behavior of persisting your keys between logins, and the update to ssh no longer uses the keychain by default. Because of this, you need to change one more thing for secure persistent key storage.

The solution is outlined in this github thread comment. Here's what you do:

  1. Ensure you've completed Step 1 above to store the passphrase in the keychain.

  2. If you haven't already, create an ~/.ssh/config file. In other words, in the .ssh directory in your home dir, make a file called config.

  3. In that .ssh/config file, add the following lines:

     Host *
   UseKeychain yes
   AddKeysToAgent yes
   IdentityFile ~/.ssh/id_rsa

    Change ~/.ssh/id_rsa to the actual filename of your private key. If you have other private keys in your ~/.ssh directory, also add an IdentityFile line for each of them. For example, I have one additional line that reads IdentityFile ~/.ssh/id_ed25519 for a 2nd private key.

    The UseKeychain yes is the key part, which tells SSH to look in your OSX keychain for the key passphrase.

  4. That's it! Next time you load any ssh connection, it will try the private keys you've specified, and it will look for their passphrase in the OSX keychain. No passphrase typing required.

Ilya Panin
  • 15
  • 4
trisweb
  • 12,036
  • 1
  • 14
  • 8
  • 2
    This almost worked for me. My "login" keychain already had automatic locking disabled, so Matthew Sanabria's answer did not apply. Using `ssh-add -K ...` added the keys to the ssh agent without prompting for a password, but only for the current session. After a reboot, I had to reissue the command. – Poulsbo Dec 16 '16 at 07:08
  • 1
    Somehow I do the ssh-add -K and it works for a while and then suddenly starts prompting me for a password again. Not sure if this is to do with iterm or oh my zsh updates? – Abram Dec 27 '16 at 01:32
  • 8
    @Poulsbo & @Abram -- see my update, Sierra changed the automatic behavior and now you have to run `ssh-add -A` manually to load your saved keychain. Some possible solutions referenced above. – trisweb Jan 03 '17 at 22:20
  • 3
    @trisweb Thanks for the tip. joshbuchea's solution of modifying the `.ssh/config` file looks promising! See https://github.com/lionheart/openradar-mirror/issues/15361#issuecomment-270242512 – Poulsbo Jan 06 '17 at 21:19
  • 1
    @trisweb check previous comment, I think that this may be good workaround for the need to run `ssh-add` in bash login, especially as not everyone is using bash shell. Please update the answer once you have the confirmation that it works. – sorin Jan 11 '17 at 16:14
  • 2
    @sorin see the updated answer, and let me know if you have any feedback. Thanks! – trisweb Jan 11 '17 at 19:53
  • 2
    Editing 'config' works great on MacOS, but fails under Linux (Bad configuration option: UseKeychain). Is there a way to write one config file that works on both? – wcochran Feb 22 '17 at 20:17
  • 19
    Works great! In my case I needed to use the `A` flag in addition to the `K` one to add my keys to the keychain and register the passphrase into it (`ssh-add -AK ~/.ssh/[your-private-key]`). Thanks! – youssman Mar 07 '17 at 22:28
  • @wcochran I too am running into this one. This really throws a wrench into plans to keep dotfiles common across platforms. – ctt May 27 '17 at 06:52
  • 1
    One thing to remember about these: It's NOT in the OpenSSH upstream, *only* in the Apple [Mm]acOS(X) versions. There are recipes elsewhere how to get the /usr/bin/ssh-add auto add the keys, so that /usr/local/bin/ssh (OpenSSH via brew etc.) can use the user-agent – Hvisage Jun 01 '17 at 13:59
  • Got message on macOS 10.13.2: `Bad configuration option: usekeychain`. –  Jan 10 '18 at 14:05
  • 3
    @wcochran and @ctt - in Apple's Technical Note [OpenSSH updates in macOS 10.12.2](https://developer.apple.com/library/content/technotes/tn2449/_index.html#//apple_ref/doc/uid/DTS40017589), they advise using `IgnoreUnknown UseKeychain` for cross-compatibility. – Ben Creasy Feb 18 '18 at 23:45
  • 5
    Even with the usekeychain option, I still find that my keychain will drop the .ssh/id_rsa key on reboot. – Chogg May 02 '18 at 18:39
  • 7
    I did exactly the same and my Mac still drops the key on reboot. – Ernest Zamelczyk Nov 22 '18 at 08:57
  • 1
    New Mac -- there's no A or K flag, still have to do it every time I reboot – Kerry Jones Apr 01 '19 at 20:56
  • Sadly this anwer is no longer valid, there is no more option K – Matteo Sep 19 '19 at 07:15
  • 1
    @Matteo -- double-check that you're using the Apple version of `ssh-add`; if you've installed Homebrew or another SSH then it may be overriding it. Use `which ssh-add` to find out which one; the Apple version is at `/usr/bin/ssh-add`. Make sure `/usr/bin` has priority in your $PATH if this is the case. – trisweb Sep 19 '19 at 11:50
  • 1
    @trisweb Just check the apple release notes, they aligned with the rest of the world and there is no more a K or A option – Matteo Sep 20 '19 at 11:02
  • @Matteo I've installed Catalina, and the `ssh-add -K` option is still present and works fine. Double-check you're using the right `ssh-add` or if there's any other difference in your environment. – trisweb Oct 12 '19 at 14:53
  • @triswed very good, I don't plan on switching to catalina just to have that tho – Matteo Oct 16 '19 at 12:12
  • 1
    @Matteo it's present on all MacOS versions prior to Catalina as well; it continues to be present on Catalina. No worries. – trisweb Oct 17 '19 at 00:00
  • I can confirm that this still works in Catalina. The `IdentityFile` isn’t strictly required if the default key names are used. – Franklin Yu Mar 31 '20 at 04:57
  • Does anyone know a way tp specify what keychain the password will get stored in? – v01pe Sep 17 '20 at 10:36
  • As @youssman mentioned, I also needed to use the `-AK` flags because in **OS Catalina 10.15.6** using only `-k` flag only stores one key at a time, no matter how many times I added it, only one was saved when consulting them with `ssh-add -l`. – alexventuraio Sep 29 '20 at 04:11
  • @Matteo's comment is crucial: **Make sure you are using `/usr/bin/ssh-add -K`**! – mforbes Sep 26 '21 at 00:17
  • 1
    In Monterey, `-K` seems to have been replaced by `--apple-use-keychain`. – Nirro Nov 10 '21 at 17:26
  • 1
    Thanks for posting this! BTW on macOS Monterey these options are now called `--apple-load-keychain` and `--apple-use-keychain`, and a large `WARNING` is printed if you try to use the old names. This is because upstream SSH added `-K` as a new option to “load resident keys from a FIDO authenticator.” – andrew Nov 19 '21 at 17:26
  • I did that and it works, but for some reason when I ssh I am not asked the keychain password, not even the first time. I was under the impression adding to the keychain kept the passphrase encrypted, so people who gain access to my machine and can copy all of my encrypted private keys can't also copy the passphrase? – doplumi Jun 07 '22 at 16:02
  • 1
    I had to also add `ssh-add --apple-load-keychain 2> /dev/null` to my `.zshrc to get this to work on reboots. – aiguofer Dec 15 '22 at 23:28
  • This doesn't work at all, and the example config file has really weird indentation. – Andrew Koster Feb 15 '23 at 22:27
47

I had a similar problem, in that I was being asked every time for my pub-key passphrase. Per suggestion of user "trisweb" above, I turned on these options to ~/.ssh/config:

Host *
  UseKeychain yes
  AddKeysToAgent yes
  IdentityFile ~/.ssh/id_rsa

But it still prompted every time I wanted to use ssh. Eventually I turned on ssh -v and found this debug line:

debug1: key_load_private: incorrect passphrase supplied to decrypt private key

I then opened my keychain in "Keychain Access.app", found the key named "SSH: /Users/username/.ssh/id_rsa" and opened it up. I clicked "Show password" to disclose the password and indeed found that the passphrase in the keyring was an old passphrase. I updated the passphrase in Keychain Access, and now password-free works.

I could have also updated the passphrase with this phrase:

ssh-keygen -p -f ~/.ssh/id_rsa
Franklin Yu
  • 543
  • 4
  • 18
user2688272
  • 571
  • 4
  • 2
  • In my Mac the password is saved in “password” category of “iCloud” chain. I thought it was in “log in” chain. – Franklin Yu Mar 31 '20 at 04:53
35

To all where the above did not work, my issue appears to have been because I was duplicating the UseKeychain yes & AddKeysToAgent yes in all ssh key profiles / shortcuts. I updated my ~/.ssh/config file to declare these only once and they now all load on login without prompting for passwords on startup, e.g:

Host foo
  HostName foo.com
  User fooUser
  IdentityFile ~/.ssh/foo

Host bar
  HostName bar.com
  User barUser
  IdentityFile ~/.ssh/bar

########################
# Keep the default configuration 
#  as the last item in this file
Host *
  UseKeychain yes
  AddKeysToAgent yes
  IdentityFile ~/.ssh/foo
  IdentityFile ~/.ssh/bar
Derek
  • 103
  • 3
Andrew
  • 451
  • 4
  • 3
  • 4
    I would recommend `Host *` be after specific host rules. See `man ssh_config` for details. – Franklin Yu Mar 31 '20 at 04:31
  • 1
    Thank you so much for this. Where are the docs for this i.e. how did you work this out? – James Owers Jun 15 '21 at 16:06
  • 1
    ...actually, this did not work for me: I have a setup where Host bar has HostName foo.com too (i.e. two different configs for the same site). `IdentityFile ~/.ssh/foo` was always used. To fix, I had to move the Host * section to the bottom, as @FranklinYu suggests. I think this is because > For each parameter, the first obtained value will be used. https://linux.die.net/man/5/ssh_config – James Owers Jun 18 '21 at 03:34
20

Also, in macOS Sierra and High Sierra (don't know about previous versions), running ssh-add -A will get the agent to load all keys whose passphrases are stored on Keychain... So very handy

Note that these option flags have been renamed and the old ones deprecated in later versions of macOS. From the ssh man page:

APPLE_SSH_ADD_BEHAVIOR
Enables or disables the older processing of the -A and -K options used in earlier macOS releases. These options have been renamed --apple-load-keychain and --apple-use-keychain respectively.
However, -A and -K still behave as in earlier releases except in the following circumstances:

  • If a security provider was specified with -S or SSH_SK_PROVIDER, or if APPLE_SSH_ADD_BEHAVIOR is set to the value “openssh”, then ssh-add uses standard OpenSSH behavior: the -A flag is not recognized and the -K flag behaves as documented in the DESCRIPTION section above.
  • Otherwise, ssh-add -A and -K will behave as in earlier macOS releases. A warning will be output to standard error unless APPLE_SSH_ADD_BEHAVIOR is set to the value “macos”. Note: Future releases of macOS will not support neither -A nor -K without setting this environment variable.
jaume
  • 14,465
  • 4
  • 54
  • 70
JJarava
  • 1,236
  • 2
  • 16
  • 28
11

Answer on OSX 12.0 Monterey

You can now use the flag --apple-use-keychain to accomplish exactly this.

ssh-add --apple-use-keychain ~/.ssh/id_rsa

Add this to your .zshrc or .bashrc file to have it load from your keychain on new logins / terminal instances.

This replaces the -K and -A flags:

WARNING: The -K and -A flags are deprecated and have been replaced
         by the --apple-use-keychain and --apple-load-keychain
         flags, respectively.  To suppress this warning, set the
         environment variable APPLE_SSH_ADD_BEHAVIOR as described in
         the ssh-add(1) manual page.
froboy
  • 3
  • 2
Greg Kaleka
  • 211
  • 2
  • 3
-2

One of solutions is to delete .ssh from path. Like this - "ssh-add --apple-use-keychain ~/id_ed25519" or "ssh-add --apple-use-keychain ~/[YOURS ID OF SSH]"

Also you need to change path in ~/.ssh/config by deleting /.ssh

Artur Didur
  • 1
  • 1
-3

Add the public key in:

.ssh/known_hosts

Public key usually are on:

/home/user/.ssh/id_rsa.pub

Hope that helps

lluisi
  • 57
  • 3