ssh-add -K not adding keys to Keychain

I used ssh-add -K to add keys to Keychain previously in this environment: Intel chipset, macOS Mojave, homebrew OpenSSH_7.9p1, LibreSSL 2.7.3.

Now I got a new Mac with the M1 chip and Monterey. I installed homebrew and OpenSSH (OpenSSH_8.8p1, OpenSSL 1.1.1m) but the ssh-add -K method doesn't work anymore:

ssh-add -v -K srv_key
Enter PIN for authenticator: 
debug1: start_helper: starting /opt/homebrew/Cellar/openssh/8.8p1_2/libexec/ssh-sk-helper 
debug1: sshsk_load_resident: provider "internal", have-pin
debug1: sk_probe: 0 device(s) detected
debug1: ssh_sk_load_resident_keys: failed to find sk
Provider "internal" returned failure -1
debug1: ssh-sk-helper:  sshsk_load_resident failed: invalid format
debug1: main: reply len 8
debug1: client_converse: helper returned error -4
Unable to load resident keys: invalid format

I think the -K option now functions as the documentation says: "-K Load resident keys from a FIDO authenticator.", not the previous special feature for macOS. It can't find the sk module so it fails to load the key.

I can load the key now with ssh-add srv_key but it doesn't work with the ssh config UseKeychain.

What's the current practice to make the previous Keychain configuration work with SSH? Thanks for any suggestion!

Solution 1:

This is the solution to keep using the SSH-Keychain integration: Don't install Homebrew OpenSSH but use the Apple builtin OpenSSH.

The Apple OpenSSH is located in /usr/bin/ and the current version is OpenSSH_8.6p1, LibreSSL 2.8.3

ssh-add -K srv_key
WARNING: The -K and -A flags are deprecated and have been replaced
         by the --apple-use-keychain and --apple-load-keychain
         flags, respectively.  To suppress this warning, set the
         environment variable APPLE_SSH_ADD_BEHAVIOR as described in
         the ssh-add(1) manual page.
Enter passphrase for srv_key:

Use ssh-add --apple-use-keychain key_file instead of ssh-add -K key_file to add the key for the new OpenSSH on macOS.