How can I permanently add my SSH private key to Keychain so it is automatically available to ssh?

Solution 1:

On OSX, the native ssh-add client has a special argument to save the private key's passphrase in the OSX keychain, which means that your normal login will unlock it for use with ssh. On OSX Sierra and later, you also need to configure SSH to always use the keychain (see Step 2 below).

Alternatively you can use a key without a passphrase, but if you prefer the security that's certainly acceptable with this workflow.

Step 1 - Store the key in the keychain

Just do this once:

ssh-add -K ~/.ssh/[your-private-key]

Enter your key passphrase, and you won't be asked for it again.

(If you're on a pre-Sierra version of OSX, you're done, Step 2 is not required. Also, be sure you are using Apple's version of /usr/bin/ssh-add and not something installed with brew etc. Check with which ssh-add.)

Step 2 - Configure SSH to always use the keychain

It seems that OSX Sierra removed the convenient behavior of persisting your keys between logins, and the update to ssh no longer uses the keychain by default. Because of this, you will get prompted to enter the passphrase for a key after you upgrade, and again after each restart.

The solution is fairly simple, and is outlined in this github thread comment. Here's how you set it up:

  1. Ensure you've completed Step 1 above to store the key in the keychain.

  2. If you haven't already, create an ~/.ssh/config file. In other words, in the .ssh directory in your home dir, make a file called config.

  3. In that .ssh/config file, add the following lines:

     Host *
       UseKeychain yes
       AddKeysToAgent yes
       IdentityFile ~/.ssh/id_rsa
    

    Change ~/.ssh/id_rsa to the actual filename of your private key. If you have other private keys in your ~/.ssh directory, also add an IdentityFile line for each of them. For example, I have one additional line that reads IdentityFile ~/.ssh/id_ed25519 for a 2nd private key.

    The UseKeychain yes is the key part, which tells SSH to look in your OSX keychain for the key passphrase.

  4. That's it! Next time you load any ssh connection, it will try the private keys you've specified, and it will look for their passphrase in the OSX keychain. No passphrase typing required.

Solution 2:

I had a similar problem, in that I was being asked every time for my pub-key passphrase. Per suggestion of user "trisweb" above, I turned on these options to ~/.ssh/config:

Host *
  UseKeychain yes
  AddKeysToAgent yes
  IdentityFile ~/.ssh/id_rsa

But it still prompted every time I wanted to use ssh. Eventually I turned on ssh -v and found this debug line:

debug1: key_load_private: incorrect passphrase supplied to decrypt private key

I then opened my keychain in "Keychain Access.app", found the key named "SSH: /Users/username/.ssh/id_rsa" and opened it up. I clicked "Show password" to disclose the password and indeed found that the passphrase in the keyring was an old passphrase. I updated the passphrase in Keychain Access, and now password-free works.

I could have also updated the passphrase with this phrase:

ssh-keygen -p -f ~/.ssh/id_rsa

Solution 3:

To all where the above did not work, my issue appears to have been because I was duplicating the UseKeychain yes & AddKeysToAgent yes in all ssh key profiles / shortcuts. I updated my ~/.ssh/config file to declare these only once and they now all load on login without prompting for passwords on startup, e.g:

Host foo
  HostName foo.com
  User fooUser
  IdentityFile ~/.ssh/foo

Host bar
  HostName bar.com
  User barUser
  IdentityFile ~/.ssh/bar

########################
# Keep the default configuration 
#  as the last item in this file
Host *
  UseKeychain yes
  AddKeysToAgent yes
  IdentityFile ~/.ssh/foo
  IdentityFile ~/.ssh/bar

Solution 4:

Also, in macOS Sierra and HighSierra (don't know about previous versions), running ssh-add -A will get the agent to load all keys whose passphrases are stored on Keychain... So very handy