How to use Mac OS X Keychain with SSH keys?

143

I understand that since Mac OS X Leopard the Keychain has supported storing SSH keys. Could someone please explain how this feature is supposed to work.

I have some RSA keys that I've generated stored in my ~/.ssh directory for accessing various servers. I don't have passphrases set on those keys. Currently in order to log in to those servers I use the following commands in the Terminal:

eval `ssh-agent`
ssh-add ~/.ssh/some_key_rsa
ssh user@server

(I've written some Bash functions to make this easier.)

Is there a better way to do this using the Keychain?

John Topley

Posted 2009-12-28T12:08:48.290

Reputation: 1 558

I do these to solve it, ref: https://unix.stackexchange.com/a/560404/388990 Hope it works, thanks

– Toni Firnandes – 2020-01-05T03:35:06.713

Answers

For it to work, the $SSH_AUTH_SOCK environment variable should be pointed to /tmp/launch-xxxxxx/Listeners. This is supposed to be done automatically when you log in. The listener on that socket speaks the ssh-agent protocol.

Your bash scripts are starting your own ssh agent (spelled ssh-agent, not ssh_agent) and overriding the existing ssh-agent that is set up for you at login.

Also, the whole point of the keychain is to store the passwords to your ssh keys, but you say that you don't have passphrases set on those keys, so I'm not sure what you are expecting out of the keychain integration.

Finally, when you first log in, you probably won't see a ssh-agent process. That process will be started automatically by launch services the first time something tries to read that socket in /tmp.

Rudedog

Posted 2009-12-28T12:08:48.290

Reputation: 1 560

"This is supposed to be done automatically when you log in." -- this doesn't actually happen for remote logins (where $DISPLAY is not set). – Ether – 2015-03-06T21:02:31.587

Note that if you use tmux, you're in significant danger of outdated environment variables (including $SSH_AUTH_SOCK). Try restarting the tmux server if you're having trouble. – Radon Rosborough – 2017-02-19T00:25:40.823

1Thanks. So I'll still have to run ssh-add to add my RSA identities to the default ssh agent started at log in? – John Topley – 2009-12-28T18:01:08.057

You don't have to run ssh-add; ssh-agent will ask for the key's passphrase the first time you run ssh. – Rudedog – 2009-12-29T05:46:48.347

3It's prompting me for the password every time I run ssh. The point is that I don't want to have to enter any passwords. – John Topley – 2009-12-29T10:40:25.650

1What is prompting you for the password? I'm beginning to suspect that it's the remote server that's prompting you, which puts your statement that your keys don't have passphrases in better perspective.

If you want to bypass the password on the remote server, you need to add your public key to $HOME/.ssh/authorized_keys on that server.

Mac OS' ssh-agent+keychain is only used to store the passphrase for your local ssh keys; it is not meant to send remote passwords over existing ssh connections. – Rudedog – 2009-12-29T16:08:12.997

I have the public key in the authorized keys file on the remote server. I followed these instructions: http://articles.slicehost.com/2008/4/25/ubuntu-hardy-setup-page-1 I guess I'll have to stick with running ssh-add.

– John Topley – 2009-12-29T17:23:27.540

1use ssh -v to diagnose what ssh is doing. also use sshd -p 8900 -v on the server side and ssh -v remote:8900 to diagnose what sshd is doing. – Rudedog – 2009-12-30T16:54:53.603

255

As of the Leopard release of OS X, ssh-agent is more tightly integrated with Keychain. It is possible to store the passphrases of all of your SSH keys securely in Keychain, from which ssh-agent will read them on startup. The bottom line is that it is simple to secure your keys with passphrases, but never have to type the passphrase to use them! Here is how:

Add the pass phrase to each ssh key to keychain: (option -k loads plain private keys only, skips certificates)

ssh-add -K [path/to/private SSH key]

(note that's a capital K)

Whenever you reboot your Mac, all the SSH keys in your keychain will be automatically loaded. You should be able to see the keys in the Keychain Access app, as well as from the command line via:

ssh-add -l

jeffmcc

Posted 2009-12-28T12:08:48.290

Reputation: 2 661

ssh-add -l doesn't list any keys when connecting remotely (where $DISPLAY is not set). Special tricks need to be employed here to use the keychain (e.g. in https://superuser.com/questions/141044/sharing-the-same-ssh-agent-among-multiple-login-sessions) – Ether – 2015-03-06T21:04:23.793

https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/ssh-add.1.html

You also need -K option to store passphrases in keychain.

– Neeme Praks – 2015-04-24T08:27:34.203

You need to use a capital "K" when you do this instead of lowercase. If you load the ssh-add help info it will show that the capitol version is what stores it in the Keychain. – Patrick – 2015-06-29T16:36:19.103

5If you installed another version of SSH through a package system like Homebrew, then it is necessary to use an absolute path like /usr/bin/ssh-add. – Ludovic Kuty – 2016-02-14T08:04:22.797

The comment of @LudovicKuty should be part of the answer... OS X uses a custom version of ssh-add – n1000 – 2016-10-03T19:46:44.077

I have edited the answer to add it but I forgot to log in before. Will be peer reviewed... :p – Ludovic Kuty – 2016-10-04T07:59:29.170

1Interestingly in my macOS Sierra it doesn't ask for the password after a reboot but ssh-add -l returns "The agent has no identities." (ps aux includes /usr/bin/ssh-agent -l). – Halil Özgür – 2016-11-23T09:54:27.863

For macOS Sierra, things have changed. See https://github.com/jirsbek/SSH-keys-in-macOS-Sierra-keychain

– schieferstapel – 2016-12-29T21:05:19.757

1ssh-add -K .. yet another thing to remember or add to start scripts :-) – user260758 – 2017-05-08T08:27:05.517

thanks, ssh-add -K worked for me nicely on macOS Mojave =) – Pirkka Esko – 2019-11-05T06:49:17.067

As of macOS Sierra, ssh-agent no longer auto-loads previously loaded ssh keys when you log in to your account. This is intentional on Apple part, they wanted to re-align with the mainstream OpenSSH implementation. [1]

As explained here, this is the recommended method since macOS 10.12.2:

Add the following lines to your ~/.ssh/config file:

Host *
    UseKeychain yes
    AddKeysToAgent yes

Any key you add to the ssh-agent using the ssh-add /path/to/your/private/key/id_rsa command will be automatically added to the keychain, and should be autoloaded upon reboot.

The following is deprecated (kept for reference).

To go back to the previous behavior, you'd want to run the ssh-add -A command (which auto-loads all the ssh keys that have pass-phrases on your keychain) when you log in. To do that, follow these steps:

First, add all the keys you want to auto-load to the ssh-agent using the ssh-add -K /absolute/path/to/your/private/key/id_rsa command. The -K argument ensures that the key pass-phrase is added to macOS's keychain. Make sure you use the absolute path to the key. Using a relative path will make the auto-launched script not to find your key.
Make sure all of your keys are shown as added when you type ssh-add -A.

Create a file called com.yourusername.ssh-add.plist in ~/Library/LaunchAgents/ with the contents below. Plist files such as this one are used by launchd to run scripts when you log in. [2] [3]

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
  <string>com.user.loginscript</string>
<key>ProgramArguments</key>
  <array>
    <string>ssh-add</string>
    <string>-A</string>
  </array>
<key>RunAtLoad</key>
  <true/>
</dict>
</plist>

Tell launchd to load the plist file you just created by executing: launchctl load ~/Library/LaunchAgents/com.yourusername.ssh-add.plist.

And you should be all set.

Ricardo Sanchez-Saez

Posted 2009-12-28T12:08:48.290

Reputation: 1 215

– slm – 2017-05-15T14:09:15.010

There is a simpler way than Ricardo's answer to persist your password between sessions/restarts of your Mac running 10.12 Sierra.

ssh-add -K ~/.ssh/id_rsa
Note: change the path to where your id_rsa key is located.
ssh-add -A
Create (or edit if it exists) the following ~/.ssh/config file:
```
Host *
  UseKeychain yes
  AddKeysToAgent yes
  IdentityFile ~/.ssh/id_rsa
```
Now the password is remembered between restarts!

Apple purposely changed the behaviour for ssh-agent in macOS 10.12 Sierra to no longer automatically load the previous SSH keys, as noted in this OpenRadar, Twitter discussion, and Technical Note from Apple. The solution above will mimic the old behaviour of El Capitan and remember your password.

ChrisJF

Posted 2009-12-28T12:08:48.290

Reputation: 460

2Awesome, works like a charm, imho a lot cleaner then the others and solved in the right place :) – GerardJP – 2017-01-10T15:08:42.270

– Basil Bourque – 2018-12-08T02:54:19.293

Note: for macOS Sierra, please refer to the more recent answer by ChrisJF.

The [answer by Jeff McCarrell][2] is correct, except that the command to add the pass phrase contains an en dash instead of a hyphen, i.e. –K instead of -K, causing a message to the effect of –K: No such file or directory. It should read:

ssh-add -K [path/to/private SSH key]

simonair

Posted 2009-12-28T12:08:48.290

Reputation: 624

2This should be a comment to the answer you refer to rather than a fresh answer. We're talking about security here. One could suggest you should be carefully typing it out rather than blindly copying and pasting ssh-add -K – Phil_1984_ – 2016-09-20T21:22:47.013

1Using a hyphen with K, I get illegal option -- K. Lowercase k is listed as an option. – Sam Dutton – 2016-11-10T14:16:29.643

Thanks for the feedback. I just checked on macOS Sierra: -K, i.e. dash-capital-K, is still valid – simonair – 2017-08-13T15:41:56.570

If you get illegal option -- K, you may be using a different ssh-add than the system one. Try /usr/bin/ssh-add -K .... See https://help.github.com/en/github/authenticating-to-github/error-ssh-add-illegal-option----k

– monozok – 2019-12-23T08:45:34.250

I had a similar problem while trying to login using a client ssh cert. In this specific case it was for accessing a git repository. This was the situation:

Key was saved in ~/.ssh/
The private key has a passphrase.
The passphrase is stored in the OS X login keychain. ~/Library/Keychains/login.keychain
The connection was as follows: my mac -> remote mac -> git/ssh server
Mac OS X 10.8.5

When I connected to remote mac using remote desktop, I didn't have a problem. However when connecting with SSH to the remote mac, I was asked for the ssh passphrase every time. The following steps solved it for me.

security unlock-keychain The passphrase is stored in the login keychain. This unlocks it and enables ssh-agent to access it.
eval `ssh-agent -s` Starts ssh-agent for shell use. It will get the passphrase from the keychain and use it to unlock the private ssh key.
Establish the ssh/git connection and do my work.
eval `ssh-agent -k` Kill the running ssh-agent.
security lock-keychain Lock the keychain again.

orkoden

Posted 2009-12-28T12:08:48.290

Reputation: 759

In order for #2 to work for me within an alias, I had to use eval \$(ssh-agent) per Re: remote login and keychain. When not within an alias eval $(ssh-agent) works (without the backslash $).

– Travis – 2015-07-22T04:59:22.853

I suspect you aren't using the default ssh command. Do you have ssh installed via ports? Try which ssh to see which ssh command you are using.

Usually it should display a dialog box asking for you password, if it isn't already stored in you keychain.

Olly

Posted 2009-12-28T12:08:48.290

Reputation: 566

Thanks for the info :) I had problems because i was using OpenSSH from Homebrew. – ggustafsson – 2012-10-06T13:47:46.787

I'm not using ports. – John Topley – 2009-12-28T14:56:52.797