How to use Mac OS X Keychain with SSH keys?

For it to work, the $SSH_AUTH_SOCK environment variable should be pointed to /tmp/launch-xxxxxx/Listeners. This is supposed to be done automatically when you log in. The listener on that socket speaks the ssh-agent protocol.

Your bash scripts are starting your own ssh agent (spelled ssh-agent, not ssh_agent) and overriding the existing ssh-agent that is set up for you at login.

Also, the whole point of the keychain is to store the passwords to your ssh keys, but you say that you don't have passphrases set on those keys, so I'm not sure what you are expecting out of the keychain integration.

Finally, when you first log in, you probably won't see a ssh-agent process. That process will be started automatically by launch services the first time something tries to read that socket in /tmp.


As of the Leopard release of OS X, ssh-agent is more tightly integrated with Keychain. It is possible to store the passphrases of all of your SSH keys securely in Keychain, from which ssh-agent will read them on startup. The bottom line is that it is simple to secure your keys with passphrases, but never have to type the passphrase to use them! Here is how:

Add the pass phrase to each ssh key to keychain: (option -k loads plain private keys only, skips certificates)

ssh-add -K [path/to/private SSH key]

(note that's a capital K)

Whenever you reboot your Mac, all the SSH keys in your keychain will be automatically loaded. You should be able to see the keys in the Keychain Access app, as well as from the command line via:

ssh-add -l

As of macOS Sierra, ssh-agent no longer auto-loads previously loaded ssh keys when you log in to your account. This is intentional on Apple part, they wanted to re-align with the mainstream OpenSSH implementation. [1]


As explained here, this is the recommended method since macOS 10.12.2:

  1. Add the following lines to your ~/.ssh/config file:

    Host *
        UseKeychain yes
        AddKeysToAgent yes
    
  2. Any key you add to the ssh-agent using the ssh-add /path/to/your/private/key/id_rsa command will be automatically added to the keychain, and should be autoloaded upon reboot.


The following is deprecated (kept for reference).

To go back to the previous behavior, you'd want to run the ssh-add -A command (which auto-loads all the ssh keys that have pass-phrases on your keychain) when you log in. To do that, follow these steps:

  1. First, add all the keys you want to auto-load to the ssh-agent using the ssh-add -K /absolute/path/to/your/private/key/id_rsa command. The -K argument ensures that the key pass-phrase is added to macOS's keychain. Make sure you use the absolute path to the key. Using a relative path will make the auto-launched script not to find your key.

  2. Make sure all of your keys are shown as added when you type ssh-add -A.

  3. Create a file called com.yourusername.ssh-add.plist in ~/Library/LaunchAgents/ with the contents below. Plist files such as this one are used by launchd to run scripts when you log in. [2] [3]

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>Label</key>
      <string>com.user.loginscript</string>
    <key>ProgramArguments</key>
      <array>
        <string>ssh-add</string>
        <string>-A</string>
      </array>
    <key>RunAtLoad</key>
      <true/>
    </dict>
    </plist>
    
  4. Tell launchd to load the plist file you just created by executing: launchctl load ~/Library/LaunchAgents/com.yourusername.ssh-add.plist.

And you should be all set.