macOS keeps asking my ssh passphrase since I updated to Sierra

607

197

It used to remember the passphrase, but now it's asking it to me each time.

I've read that I need to regenerate the public key with this command, which I did:

ssh-keygen -y -f id_rsa > id_rsa.pub

but it didn't fix anything.

How can I make macOS remember my passphrase again?

erwan

Posted 2016-09-22T09:21:53.970

Reputation: 6 191

I’m experiencing related behavior: Earlier, the key ring dialog would pop up to ask for the password, now I just get the regular SSH console prompt. Some helper program registration is probably gone. – Daniel B – 2016-09-22T11:06:41.377

1It's been years since I generated my id_rsa and I've never used a passphrase and use this to ssh into many servers. Do I really have a passphrase on it, or is it just that Sierra thinks I should? Note that $ cat ~/.ssh/id_rsa | head -2 -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED – Joe Murray – 2016-10-28T14:30:27.273

duplicate of https://apple.stackexchange.com/q/254468/62697

– Cœur – 2017-01-30T06:05:18.907

If you're using Pretzo and none of these answers solved your problem: Make sure you don't have the ssh module enabled in zpretzorc. It's unnecessary on macOS anyway, and if enabled, it will prompt you for your passphrase even after you've added UseKeychain. – Jimothy – 2017-08-01T17:28:58.333

1try doing ssh -v ... to see if it has any useful debug info... – rogerdpack – 2018-06-27T14:11:00.133

Answers

1 168

In the latest version of macOS (10.12.2), this is easy to fix. Just edit your ~/.ssh/config and enable the UseKeychain option:

Host *
    UseKeychain yes

There is no need to change anything else. Now everything works the way it used to work before the latest updates. You do not need to add keys to ssh-agent.


Edit: You may still need to enter your passphrase once. If you don't know it, follow these instructions to reveal it.

Jukka Suomela

Posted 2016-09-22T09:21:53.970

Reputation: 12 244

27This absolutely worked for me. Everything below seems more complicated than this fix. – Br.Bill – 2016-12-19T23:26:21.010

Can't you put this at the end of the config, unindented, instead of using Host *? – mblakele – 2016-12-27T18:32:18.730

This definitely works for 10.2.2 – Alvin Nguyen – 2016-12-28T00:50:32.147

This works for Mac OS Sierra too! – Chiko – 2017-01-03T05:22:39.343

88Note, the Host * block should (almost) always be placed at the bottom of your ~/.ssh/config file. When ssh is looking for settings it uses the first value it finds. Thus, by putting putting the wildcard block at the end, it acts as a set of defaults; you can override settings for specific hosts by specifying them earlier in the file. – Molomby – 2017-01-09T00:10:52.577

2This sadly does not work when you use the same ~/.ssh/config for a non-macOS system, e.g. Ubuntu in a virtual machine. I get: Bad configuration option: UseKeychain when trying to git fetch in my Ubuntu VM. – Henrik N – 2017-01-09T07:49:30.600

1I'm using Mac OSX Sierra (10.12.2) and it didn't work for me. – zyc – 2017-01-11T16:38:20.793

I'm using macOS Sierra (10.12.12) and it worked for me! – njtman – 2017-01-13T13:25:25.820

2worked but not when forwarding machine keys via capistrano to fetch from github on the remote, in that case I had to do the ssh-add -K dance – John Smith – 2017-01-13T15:36:03.693

7

This worked for me as well but I did have to enter the passphrase correctly once. There is another answer that describes how you can view the password if you don't remember it.

– FGreg – 2017-01-19T17:45:21.700

1Doesn't seem to work for 10.2.3 – Dan – 2017-01-31T15:16:27.037

Finally something that really fixed this annoyance. I'm running on 10.12.3 and it's perfect now. – TCB13 – 2017-02-09T19:43:11.327

Thank you for this. I need this to work across multiple users on my machine (10.12.3), so I instead added it under the Host * section in /etc/ssh/ssh_config, and that worked. – Ivan X – 2017-02-10T14:58:20.797

29If the config file doesn't exist, creating one and adding this will work as well. – wynshaft – 2017-02-22T14:38:11.093

1@wynshaft yes the file did not exist for me and I created it and dropped those few lines in. works on my machine. – Antwan W. A-Dubb – 2017-02-23T20:47:09.127

Is this setting specific only to the ssh version of macOS? Will another Unix (like Linux or FreeBSD) complain or not recognize it? – thiagowfx – 2017-02-28T22:47:36.317

8You do not need the Host * heading. Just append the single line UseKeychain yes at the top of your .ssh/config if you wish for this to apply to all hosts. – sj26 – 2017-03-22T01:07:53.373

1I followed this, then it still asked for password, didn't remember my password, looked it up from Keychain Access app, typed it in, it didn't accept it. Then I went and used ssh-add -K instead and typed password there, it accepted and it solved my problem! – test – 2017-05-02T07:29:16.650

Brilliant. This worked perfectly. Such a simple solution, and it saved me messing around with regenerating a bunch of different keys. As you mentioned, I was prompted for my passphrase one more time, and after that it's no longer asking for it. Bingo. – inspirednz – 2017-05-30T06:28:52.593

2

@HenrikN Add IgnoreUnknown UseKeychain to the Host * config block, and you can share your ssh config. See https://superuser.com/a/1178904/138530 and https://developer.apple.com/library/content/technotes/tn2449/_index.html

– Jimothy – 2017-08-01T17:33:58.620

Added the file with the above content. Did not work. On OS X 10.12.6. – Fellow Stranger – 2018-02-20T13:40:53.850

Note that you don't actually need the Host * part. Just add it to your global config. – bluesmoon – 2018-04-17T04:03:29.563

Don't forget to add the public key to your host:

Linux / Mac: cat ~/.ssh/id_rsa.pub | ssh username@your.server.com "mkdir ~/.ssh; cat >> ~/.ssh/authorized_keys" – ppalmeida – 2018-08-17T13:24:42.837

This didn't work for me – Amrit Kahlon – 2019-02-02T01:11:11.863

Worked for me on catalina. – 4F2E4A2E – 2019-10-28T08:29:33.050

193

I had the same problem. MacOS Sierra keychain keeps asking for the passphrase. Your id_rsa should be encrypted with a passphrase for security. Then try adding it to the keychain ssh-add -K ~/.ssh/id_rsa

If your key is in another folder than ~/.ssh then substitute with the correct folder.

Keychain now knows your ssh key and, hopefully, all works now (mine did)

Lars G.

Posted 2016-09-22T09:21:53.970

Reputation: 1 939

26This works but seems not to persist when I restart my computer. Anyone else having the same issue? – joshua.paling – 2016-09-26T10:39:27.303

1Yup, same issue here. @joshua.paling – kingkool68 – 2016-09-26T13:56:55.197

18

@joshua.paling, kingkool68 - Apple has removed the ability to remember your SSH keys across reboot in order to conform to mainstream OpenSSH behavior. See this question for other ways to achieve the same functionality: http://apple.stackexchange.com/questions/254468/macos-sierra-doesn-t-seem-to-remember-ssh-keys-between-reboots

– Evan Pon – 2016-10-12T16:53:34.267

@EvanPon But that won’t work with encrypted keys, will it? – Konrad Rudolph – 2016-10-26T16:31:13.720

2@KonradRudolph it works for me. Calling ssh-add with the -A option will look in the MacOS keychain for any passwords for the identities in question. I believe it will prompt you if the passwords are not in the keychain. – Evan Pon – 2016-10-27T00:26:35.393

This worked for me - but the flag was lowercase -k not uppercase -K. -k Load only keys and not certificates. – Kelly J Andrews – 2016-11-07T21:46:13.753

@EvanPon Maybe we’re talking about different things. I was expecting this to persist the setting across reboots. None of the ways posted in your link does (or did, at the time of writing; in the meantime there’s now a way). Adding things to .bash_profile works in limited ways, but still requires the user to enter their passphrase at least once. – Konrad Rudolph – 2017-02-01T16:07:16.677

75

This fixed my similar issue:

/usr/bin/ssh-add -K

This stores passphrases in your keychain.

Update (thanks @EasyCo): This works but does not persist between restarts. @jukka-suomela's solution on this page does work across restarts. You can find that answer here:

https://superuser.com/a/1158050/234685

critikaster

Posted 2016-09-22T09:21:53.970

Reputation: 871

3This is the only thing that works. – cryptic0 – 2017-04-20T20:22:58.497

5I did not need to create .ssh/.config when using this solution. – Shai – 2017-05-13T18:12:49.283

This worked for me. No need to edit the host file. I'm on Sierra. – cchiera – 2017-08-29T13:31:49.313

This worked for me on Mac OS Sierra. – Dayron Gallardo – 2017-10-11T00:54:46.110

2As stated previously, this works but does not persist between restarts. @jukka-suomela's solution work across restarts. – EasyCo – 2017-11-15T21:58:27.220

Thanks @EasyCo that is indeed the better solution. – critikaster – 2017-11-18T18:24:46.803

41

I only had to enter the correct passphrase once and it started working. The problem was that I didn't remember my original SSH passphrase, but I recovered it by following these steps from Github:

  • In Finder, search for the Keychain Access app.
  • In Keychain Access, search for SSH.
  • Double click on the entry for your SSH key to open a new dialog box.
  • Keychain access dialogIn the lower-left corner, select Show password.
  • You'll be prompted for your administrative password. Type it into the "Keychain Access" dialog box.
  • Your password will be revealed.

Olli Jaakkola

Posted 2016-09-22T09:21:53.970

Reputation: 511

3Doesn't work. Terminal still says "bad passphrase" – Jayden Lawson – 2017-08-31T03:24:55.703

19

None of the above solutions worked after installing Sierra over El Capitan on a new MacBook Pro. Sierra by design does not save SSH keys in the keychain.

Two solutions worked for me. One is to add the command ssh-add -A &> /dev/null to ~/.bash_profile. Every time you open the terminal, this command will be executed (the &> /dev/null part sends the output of the command the file /dev/null).

A more complicated but slightly slicker solution is to create a plist with the command that is executed every time the OS is booted as suggested in Saving SSH keys in macOS Sierra keychain. This involves using Xcode to create the file.

Hank Snow

Posted 2016-09-22T09:21:53.970

Reputation: 291

This appears to be Apple's official answer as well - see https://openradar.appspot.com/27348363

– Nick Maynard – 2016-09-30T15:53:46.737

The best solution until now for me. I'm using Mac OSX Sierra (10.12.2). – zyc – 2017-01-11T16:40:59.503

18

One fix is to add the following to your ~/.ssh/config file:

Host *
   AddKeysToAgent yes
   IdentityFile ~/.ssh/id_rsa
   UseKeychain yes

Taken from: https://www.reddit.com/r/osx/comments/52zn5r/difficulties_with_sshagent_in_macos_sierra/ Also see: https://apple.stackexchange.com/a/264974/3810

ThomasW

Posted 2016-09-22T09:21:53.970

Reputation: 353

So far, in none of the answers, has anyone mentioned the Bad configuration option: usekeychain error I get with UseKeychain (however it's capitalised). But I was able to get it working by removing just that line and leaving AddKeysToAgent and IdentityFile (you still have to enter the passphrase the first time). This is with macOS Sierra 10.12.6. – William Turrell – 2017-08-29T12:47:50.923

this works fine when I am in the terminal and use the ssh command, but other apps, like WebStorm that use their own terminal, don't take thi configuration until I first use an ssh command in the regular terminal. then it works everywhere, any suggestions? – santiago arizti – 2018-04-17T16:53:22.047

@WilliamTurrell If this still happens, type which ssh to ensure that you are using /usr/bin/ssh and not a version from Fink or MacPorts, which would be under something like /usr/local/bin/ssh or /opt/local/bin/ssh – Stefan Lasiewski – 2018-05-17T21:25:11.620

8

This morning, I had the same problem as you after updating to Sierra. In my case, the id_rsa file was encrypted and after decrypting it was working like a charm.

  1. Verify if your id_rsa file is encrypted with the following command: cat ~/.ssh/id_rsa | head -2
  2. If the second line says Proc-Type: 4,ENCRYPTED, it's encrypted and you could try decrypting it
  3. Important: make a backup of your original id_rsa file! Use the command cp ~/.ssh/id_rsa ~/.ssh/id_rsa.bak
  4. Decrypt your private key with openssl rsa -in ~/.ssh/id_rsa -out ~/.ssh/id_rsa.decrypted
  5. Remove the original key (rm ~/.ssh/id_rsa) and replace it with the decrypted one: mv ~/.ssh/id_rsa.decrypted ~/.ssh/id_rsa

After these steps, you should be able to use ssh again.

Martijn Pieters

Posted 2016-09-22T09:21:53.970

Reputation: 105

4While that is a workaround of sorts, I don’t think it really solves the OP’s problem. – Daniel B – 2016-09-22T11:05:41.703

This works for me. @DanielB, what is the problem with doing this? – Dag Høidahl – 2016-09-26T12:55:50.770

7@DagHøidahl The key will no longer be encrypted. It can be stolen with regular user rights, so encryption is a strong SHOULD. – Daniel B – 2016-09-26T13:50:58.913

6This removes the password from the key, which is why it works around the OP's problem. But I recommend against this. The password is all that stops people from using your key when it's stolen. Since your key will probably give access to multiple systems you don't want to weaken it. – Martijn Heemels – 2016-10-01T18:41:44.517

8

I tried multiple answers here, but was still having issues with remote keys passing (such as when using capistrano). To solve it, I read the technote from apple and made this my config file. No more asking for my password!

https://developer.apple.com/library/content/technotes/tn2449/_index.html

Host *  
   IdentityFile ~/.ssh/id_rsa  
   IgnoreUnknown UseKeychain  
   UseKeychain yes  
   AddKeysToAgent yes

Geek Goddess

Posted 2016-09-22T09:21:53.970

Reputation: 181

5

I had this issue as well when attempting to deploy some code using Capistrano. Very frustrating. Here are two methods I know of to deal with this issue.

Method 1: Add all known keys to the SSH agent.

So one solution I found is to run ssh-add with the -A option—which adds all known identities to the SSH agent using any passphrases stored in your keychain—like this:

ssh-add -A

Now this works but it won’t persist across reboots. So if you want to never worry about this again, just open up your user’s ~/.bash_profile file like this:

nano ~/.bash_profile

And add this line to the bottom:

ssh-add -A 2>/dev/null;

Now when you open a new Terminal window, all should be good!

Method 2: Add only SSH keys that are in the keychain to the agent.

So while the ssh-add -A option should work for most basic cases, I ran into an issue recently where I had 6-7 Vagrant boxes (which uses SSH keys/identities for access) setup on a machine on top of the more common id_rsa.pub in place.

Long story short, I ended up being locked out of a remote server due to too many failed tries based on SSH keys/identities since the server access was based on a password and SSH keys/identities are SSH keys/identities. So the SSH agent tried all of my SSH keys, failed and I couldn’t even get to the password prompt.

The problem is that ssh-add -A will just arbitrarily add every single SSH key/identity you have to the agent even if it’s not necessary to do so; such as in the case of Vagrant boxes.

My solution after much testing was as follows.

First, if you have more SSH keys/identities added to your agent than you need—as shown with ssh-add -l then purge them all from the agent like so:

ssh-add -D

With that done, then start the SSH agent as a background process like so:

eval "$(ssh-agent -s)"

Now, it gets weird and I am not too sure why. In some cases you can specifically add the ~/.ssh/id_rsa.pub key/identity to the agent like so:

ssh-add ~/.ssh/id_rsa.pub

Type in your passphrase, hit Return and you should be good to go.

But in other cases simply running this is enough to get the key/identity added:

ssh-add -K

If that’s all worked, type in ssh-add -l and you should see one lone SSH key/identity listed.

All good? Now open up your .bash_profile:

nano ~/.bash_profile

And add this line to the bottom; comment or remove the -A version if you have that in place:

ssh-add -K 2>/dev/null;

That will allow the SSH key/identity to be reloaded to the SSH agent on each startup/reboot.

UPDATE: Apple has now added a UseKeychain option to the open SSH config options and considers ssh-add -A a solution as well.

As of macOS Sierra 10.12.2, Apple (I assume) has added a UseKeychain config option for SSH configs. Checking the man page (via man ssh_config) shows the following info:

UseKeychain
        On macOS, specifies whether the system should search for
        passphrases in the user's keychain when attempting to use a par-
        ticular key. When the passphrase is provided by the user, this
        option also specifies whether the passphrase should be stored
        into the keychain once it has been verified to be correct.  The
        argument must be ``yes'' or ``no''.  The default is ``no''.

Which boils down to Apple seeing the solution as either adding ssh-add -A to your .bash_profile as explained in this Open Radar ticket or adding UseKeychain as one of the options in a per user ~/.ssh/config.

JakeGould

Posted 2016-09-22T09:21:53.970

Reputation: 38 217

4

Jukka Suomela's answer is correct, but if you are using openssh installed from homebrew, then you also need to uninstall it with:

brew remove openssh

...to switch back to system default openssh, because homebrew's one doesn't support UseKeychain ssh config entry.

Greg Dubicki

Posted 2016-09-22T09:21:53.970

Reputation: 255

1

If anybody wants it with homebrew's, ping me here: https://github.com/rdp/homebrew-openssh-gssapi

– rogerdpack – 2017-12-01T17:49:34.317

2

You need a .plist file added to ~/Library/LaunchAgents/ to run ssh-add -A on every startup of macOS.

There's a single command which does this (from SSH-keys-in-macOS-Sierra-keychain) which is:

curl -o ~/Library/LaunchAgents/ssh.add.a.plist https://raw.githubusercontent.com/jirsbek/SSH-keys-in-macOS-Sierra-keychain/master/ssh.add.a.plist

AlecRust

Posted 2016-09-22T09:21:53.970

Reputation: 129

2

I tried all solutions suggested here, but I don't have keychain set up in my Mac.

Adding to following line at top .ssh/config file on both the local and the remote machine worked for me.

PubkeyAcceptedKeyTypes=+ssh-dss 

Roei Bar Aviv

Posted 2016-09-22T09:21:53.970

Reputation: 21