607
197
It used to remember the passphrase, but now it's asking it to me each time.
I've read that I need to regenerate the public key with this command, which I did:
ssh-keygen -y -f id_rsa > id_rsa.pub
but it didn't fix anything.
How can I make macOS remember my passphrase again?
erwan
Posted 2016-09-22T09:21:53.970
Reputation: 6 191
1 168
In the latest version of macOS (10.12.2), this is easy to fix. Just edit your ~/.ssh/config and enable the UseKeychain option:
Host *
UseKeychain yes
There is no need to change anything else. Now everything works the way it used to work before the latest updates. You do not need to add keys to ssh-agent.
Edit: You may still need to enter your passphrase once. If you don't know it, follow these instructions to reveal it.
Jukka Suomela
Posted 2016-09-22T09:21:53.970
Reputation: 12 244
27This absolutely worked for me. Everything below seems more complicated than this fix. – Br.Bill – 2016-12-19T23:26:21.010
Can't you put this at the end of the config, unindented, instead of using Host *? – mblakele – 2016-12-27T18:32:18.730
This definitely works for 10.2.2 – Alvin Nguyen – 2016-12-28T00:50:32.147
This works for Mac OS Sierra too! – Chiko – 2017-01-03T05:22:39.343
88Note, the Host * block should (almost) always be placed at the bottom of your ~/.ssh/config file. When ssh is looking for settings it uses the first value it finds. Thus, by putting putting the wildcard block at the end, it acts as a set of defaults; you can override settings for specific hosts by specifying them earlier in the file. – Molomby – 2017-01-09T00:10:52.577
2This sadly does not work when you use the same ~/.ssh/config for a non-macOS system, e.g. Ubuntu in a virtual machine. I get: Bad configuration option: UseKeychain when trying to git fetch in my Ubuntu VM. – Henrik N – 2017-01-09T07:49:30.600
1I'm using Mac OSX Sierra (10.12.2) and it didn't work for me. – zyc – 2017-01-11T16:38:20.793
I'm using macOS Sierra (10.12.12) and it worked for me! – njtman – 2017-01-13T13:25:25.820
2worked but not when forwarding machine keys via capistrano to fetch from github on the remote, in that case I had to do the ssh-add -K dance – John Smith – 2017-01-13T15:36:03.693
7
This worked for me as well but I did have to enter the passphrase correctly once. There is another answer that describes how you can view the password if you don't remember it.
– FGreg – 2017-01-19T17:45:21.7001Doesn't seem to work for 10.2.3 – Dan – 2017-01-31T15:16:27.037
Finally something that really fixed this annoyance. I'm running on 10.12.3 and it's perfect now. – TCB13 – 2017-02-09T19:43:11.327
Thank you for this. I need this to work across multiple users on my machine (10.12.3), so I instead added it under the Host * section in /etc/ssh/ssh_config, and that worked. – Ivan X – 2017-02-10T14:58:20.797
29If the config file doesn't exist, creating one and adding this will work as well. – wynshaft – 2017-02-22T14:38:11.093
1@wynshaft yes the file did not exist for me and I created it and dropped those few lines in. works on my machine. – Antwan W. A-Dubb – 2017-02-23T20:47:09.127
Is this setting specific only to the ssh version of macOS? Will another Unix (like Linux or FreeBSD) complain or not recognize it? – thiagowfx – 2017-02-28T22:47:36.317
8You do not need the Host * heading. Just append the single line UseKeychain yes at the top of your .ssh/config if you wish for this to apply to all hosts. – sj26 – 2017-03-22T01:07:53.373
1I followed this, then it still asked for password, didn't remember my password, looked it up from Keychain Access app, typed it in, it didn't accept it. Then I went and used ssh-add -K instead and typed password there, it accepted and it solved my problem! – test – 2017-05-02T07:29:16.650
Brilliant. This worked perfectly. Such a simple solution, and it saved me messing around with regenerating a bunch of different keys. As you mentioned, I was prompted for my passphrase one more time, and after that it's no longer asking for it. Bingo. – inspirednz – 2017-05-30T06:28:52.593
2
@HenrikN Add IgnoreUnknown UseKeychain to the Host * config block, and you can share your ssh config. See https://superuser.com/a/1178904/138530 and https://developer.apple.com/library/content/technotes/tn2449/_index.html
Added the file with the above content. Did not work. On OS X 10.12.6. – Fellow Stranger – 2018-02-20T13:40:53.850
Note that you don't actually need the Host * part. Just add it to your global config. – bluesmoon – 2018-04-17T04:03:29.563
Don't forget to add the public key to your host:
Linux / Mac: cat ~/.ssh/id_rsa.pub | ssh username@your.server.com "mkdir ~/.ssh; cat >> ~/.ssh/authorized_keys" – ppalmeida – 2018-08-17T13:24:42.837
This didn't work for me – Amrit Kahlon – 2019-02-02T01:11:11.863
Worked for me on catalina. – 4F2E4A2E – 2019-10-28T08:29:33.050
193
I had the same problem. MacOS Sierra keychain keeps asking for the passphrase. Your id_rsa should be encrypted with a passphrase for security. Then try adding it to the keychain ssh-add -K ~/.ssh/id_rsa
If your key is in another folder than ~/.ssh then substitute with the correct folder.
Keychain now knows your ssh key and, hopefully, all works now (mine did)
Lars G.
Posted 2016-09-22T09:21:53.970
Reputation: 1 939
26This works but seems not to persist when I restart my computer. Anyone else having the same issue? – joshua.paling – 2016-09-26T10:39:27.303
1Yup, same issue here. @joshua.paling – kingkool68 – 2016-09-26T13:56:55.197
18
@joshua.paling, kingkool68 - Apple has removed the ability to remember your SSH keys across reboot in order to conform to mainstream OpenSSH behavior. See this question for other ways to achieve the same functionality: http://apple.stackexchange.com/questions/254468/macos-sierra-doesn-t-seem-to-remember-ssh-keys-between-reboots
– Evan Pon – 2016-10-12T16:53:34.267@EvanPon But that won’t work with encrypted keys, will it? – Konrad Rudolph – 2016-10-26T16:31:13.720
2@KonradRudolph it works for me. Calling ssh-add with the -A option will look in the MacOS keychain for any passwords for the identities in question. I believe it will prompt you if the passwords are not in the keychain. – Evan Pon – 2016-10-27T00:26:35.393
This worked for me - but the flag was lowercase -k not uppercase -K. -k Load only keys and not certificates. – Kelly J Andrews – 2016-11-07T21:46:13.753
@EvanPon Maybe we’re talking about different things. I was expecting this to persist the setting across reboots. None of the ways posted in your link does (or did, at the time of writing; in the meantime there’s now a way). Adding things to .bash_profile works in limited ways, but still requires the user to enter their passphrase at least once. – Konrad Rudolph – 2017-02-01T16:07:16.677
75
This fixed my similar issue:
/usr/bin/ssh-add -K
This stores passphrases in your keychain.
Update (thanks @EasyCo): This works but does not persist between restarts. @jukka-suomela's solution on this page does work across restarts. You can find that answer here:
critikaster
Posted 2016-09-22T09:21:53.970
Reputation: 871
3This is the only thing that works. – cryptic0 – 2017-04-20T20:22:58.497
5I did not need to create .ssh/.config when using this solution. – Shai – 2017-05-13T18:12:49.283
This worked for me. No need to edit the host file. I'm on Sierra. – cchiera – 2017-08-29T13:31:49.313
This worked for me on Mac OS Sierra. – Dayron Gallardo – 2017-10-11T00:54:46.110
2As stated previously, this works but does not persist between restarts. @jukka-suomela's solution work across restarts. – EasyCo – 2017-11-15T21:58:27.220
Thanks @EasyCo that is indeed the better solution. – critikaster – 2017-11-18T18:24:46.803
41
I only had to enter the correct passphrase once and it started working. The problem was that I didn't remember my original SSH passphrase, but I recovered it by following these steps from Github:
Olli Jaakkola
Posted 2016-09-22T09:21:53.970
Reputation: 511
3Doesn't work. Terminal still says "bad passphrase" – Jayden Lawson – 2017-08-31T03:24:55.703
19
None of the above solutions worked after installing Sierra over El Capitan on a new MacBook Pro. Sierra by design does not save SSH keys in the keychain.
Two solutions worked for me. One is to add the command ssh-add -A &> /dev/null to ~/.bash_profile. Every time you open the terminal, this command will be executed (the &> /dev/null part sends the output of the command the file /dev/null).
A more complicated but slightly slicker solution is to create a plist with the command that is executed every time the OS is booted as suggested in Saving SSH keys in macOS Sierra keychain. This involves using Xcode to create the file.
Hank Snow
Posted 2016-09-22T09:21:53.970
Reputation: 291
This appears to be Apple's official answer as well - see https://openradar.appspot.com/27348363
– Nick Maynard – 2016-09-30T15:53:46.737The best solution until now for me. I'm using Mac OSX Sierra (10.12.2). – zyc – 2017-01-11T16:40:59.503
18
One fix is to add the following to your ~/.ssh/config file:
Host *
AddKeysToAgent yes
IdentityFile ~/.ssh/id_rsa
UseKeychain yes
Taken from: https://www.reddit.com/r/osx/comments/52zn5r/difficulties_with_sshagent_in_macos_sierra/ Also see: https://apple.stackexchange.com/a/264974/3810
ThomasW
Posted 2016-09-22T09:21:53.970
Reputation: 353
So far, in none of the answers, has anyone mentioned the Bad configuration option: usekeychain error I get with UseKeychain (however it's capitalised). But I was able to get it working by removing just that line and leaving AddKeysToAgent and IdentityFile (you still have to enter the passphrase the first time). This is with macOS Sierra 10.12.6. – William Turrell – 2017-08-29T12:47:50.923
this works fine when I am in the terminal and use the ssh command, but other apps, like WebStorm that use their own terminal, don't take thi configuration until I first use an ssh command in the regular terminal. then it works everywhere, any suggestions? – santiago arizti – 2018-04-17T16:53:22.047
@WilliamTurrell If this still happens, type which ssh to ensure that you are using /usr/bin/ssh and not a version from Fink or MacPorts, which would be under something like /usr/local/bin/ssh or /opt/local/bin/ssh – Stefan Lasiewski – 2018-05-17T21:25:11.620
8
This morning, I had the same problem as you after updating to Sierra. In my case, the id_rsa file was encrypted and after decrypting it was working like a charm.
id_rsa file is encrypted with the following command: cat ~/.ssh/id_rsa | head -2Proc-Type: 4,ENCRYPTED, it's encrypted and you could try decrypting itid_rsa file! Use the command cp ~/.ssh/id_rsa ~/.ssh/id_rsa.bakopenssl rsa -in ~/.ssh/id_rsa -out ~/.ssh/id_rsa.decryptedrm ~/.ssh/id_rsa) and replace it with the decrypted one: mv ~/.ssh/id_rsa.decrypted ~/.ssh/id_rsaAfter these steps, you should be able to use ssh again.
Martijn Pieters
Posted 2016-09-22T09:21:53.970
Reputation: 105
4While that is a workaround of sorts, I don’t think it really solves the OP’s problem. – Daniel B – 2016-09-22T11:05:41.703
This works for me. @DanielB, what is the problem with doing this? – Dag Høidahl – 2016-09-26T12:55:50.770
7@DagHøidahl The key will no longer be encrypted. It can be stolen with regular user rights, so encryption is a strong SHOULD. – Daniel B – 2016-09-26T13:50:58.913
6This removes the password from the key, which is why it works around the OP's problem. But I recommend against this. The password is all that stops people from using your key when it's stolen. Since your key will probably give access to multiple systems you don't want to weaken it. – Martijn Heemels – 2016-10-01T18:41:44.517
8
I tried multiple answers here, but was still having issues with remote keys passing (such as when using capistrano). To solve it, I read the technote from apple and made this my config file. No more asking for my password!
https://developer.apple.com/library/content/technotes/tn2449/_index.html
Host * IdentityFile ~/.ssh/id_rsa IgnoreUnknown UseKeychain UseKeychain yes AddKeysToAgent yes
Geek Goddess
Posted 2016-09-22T09:21:53.970
Reputation: 181
5
I had this issue as well when attempting to deploy some code using Capistrano. Very frustrating. Here are two methods I know of to deal with this issue.
So one solution I found is to run ssh-add with the -A option—which adds all known identities to the SSH agent using any passphrases stored in your keychain—like this:
ssh-add -A
Now this works but it won’t persist across reboots. So if you want to never worry about this again, just open up your user’s ~/.bash_profile file like this:
nano ~/.bash_profile
And add this line to the bottom:
ssh-add -A 2>/dev/null;
Now when you open a new Terminal window, all should be good!
So while the ssh-add -A option should work for most basic cases, I ran into an issue recently where I had 6-7 Vagrant boxes (which uses SSH keys/identities for access) setup on a machine on top of the more common id_rsa.pub in place.
Long story short, I ended up being locked out of a remote server due to too many failed tries based on SSH keys/identities since the server access was based on a password and SSH keys/identities are SSH keys/identities. So the SSH agent tried all of my SSH keys, failed and I couldn’t even get to the password prompt.
The problem is that ssh-add -A will just arbitrarily add every single SSH key/identity you have to the agent even if it’s not necessary to do so; such as in the case of Vagrant boxes.
My solution after much testing was as follows.
First, if you have more SSH keys/identities added to your agent than you need—as shown with ssh-add -l then purge them all from the agent like so:
ssh-add -D
With that done, then start the SSH agent as a background process like so:
eval "$(ssh-agent -s)"
Now, it gets weird and I am not too sure why. In some cases you can specifically add the ~/.ssh/id_rsa.pub key/identity to the agent like so:
ssh-add ~/.ssh/id_rsa.pub
Type in your passphrase, hit Return and you should be good to go.
But in other cases simply running this is enough to get the key/identity added:
ssh-add -K
If that’s all worked, type in ssh-add -l and you should see one lone SSH key/identity listed.
All good? Now open up your .bash_profile:
nano ~/.bash_profile
And add this line to the bottom; comment or remove the -A version if you have that in place:
ssh-add -K 2>/dev/null;
That will allow the SSH key/identity to be reloaded to the SSH agent on each startup/reboot.
UseKeychain option to the open SSH config options and considers ssh-add -A a solution as well.As of macOS Sierra 10.12.2, Apple (I assume) has added a UseKeychain config option for SSH configs. Checking the man page (via man ssh_config) shows the following info:
UseKeychain
On macOS, specifies whether the system should search for
passphrases in the user's keychain when attempting to use a par-
ticular key. When the passphrase is provided by the user, this
option also specifies whether the passphrase should be stored
into the keychain once it has been verified to be correct. The
argument must be ``yes'' or ``no''. The default is ``no''.
Which boils down to Apple seeing the solution as either adding ssh-add -A to your .bash_profile as explained in this Open Radar ticket or adding UseKeychain as one of the options in a per user ~/.ssh/config.
JakeGould
Posted 2016-09-22T09:21:53.970
Reputation: 38 217
4
Jukka Suomela's answer is correct, but if you are using openssh installed from homebrew, then you also need to uninstall it with:
brew remove openssh
...to switch back to system default openssh, because homebrew's one doesn't support UseKeychain ssh config entry.
Greg Dubicki
Posted 2016-09-22T09:21:53.970
Reputation: 255
1
If anybody wants it with homebrew's, ping me here: https://github.com/rdp/homebrew-openssh-gssapi
– rogerdpack – 2017-12-01T17:49:34.3172
You need a .plist file added to ~/Library/LaunchAgents/ to run ssh-add -A on every startup of macOS.
There's a single command which does this (from SSH-keys-in-macOS-Sierra-keychain) which is:
curl -o ~/Library/LaunchAgents/ssh.add.a.plist https://raw.githubusercontent.com/jirsbek/SSH-keys-in-macOS-Sierra-keychain/master/ssh.add.a.plist
AlecRust
Posted 2016-09-22T09:21:53.970
Reputation: 129
2
I tried all solutions suggested here, but I don't have keychain set up in my Mac.
Adding to following line at top .ssh/config file on both the local and the remote machine worked for me.
PubkeyAcceptedKeyTypes=+ssh-dss
Roei Bar Aviv
Posted 2016-09-22T09:21:53.970
Reputation: 21
I’m experiencing related behavior: Earlier, the key ring dialog would pop up to ask for the password, now I just get the regular SSH console prompt. Some helper program registration is probably gone. – Daniel B – 2016-09-22T11:06:41.377
1It's been years since I generated my id_rsa and I've never used a passphrase and use this to ssh into many servers. Do I really have a passphrase on it, or is it just that Sierra thinks I should? Note that $ cat ~/.ssh/id_rsa | head -2 -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED – Joe Murray – 2016-10-28T14:30:27.273
duplicate of https://apple.stackexchange.com/q/254468/62697
– Cœur – 2017-01-30T06:05:18.907If you're using Pretzo and none of these answers solved your problem: Make sure you don't have the
sshmodule enabled inzpretzorc. It's unnecessary on macOS anyway, and if enabled, it will prompt you for your passphrase even after you've addedUseKeychain. – Jimothy – 2017-08-01T17:28:58.3331try doing
ssh -v ...to see if it has any useful debug info... – rogerdpack – 2018-06-27T14:11:00.133