Mac OSX keeps prompting SSH key passphrase, does not use KeyChain

Profile image of Mattias Geniar

Mattias Geniar, December 28, 2016

Follow me on Twitter as @mattiasgeniar

A minor annoyance after my Mac decided to auto-update to OSX 10.12.2: every time I wanted to SSH to a server, it kept prompting for my SSH key passphrase.

$ ssh ma.ttias.be
Enter passphrase for key '/Users/mattias/.ssh/id_rsa':

It used to save that info in Keychain, that got unlocked whenever I unlocked the Mac.

There’s a quick workaround offered by Aral that seems to work fine for me.

$ cat ~/.ssh/config
Host *
  UseKeychain yes
  AddKeysToAgent yes

Add that UseKeychain yes line to your ~/.ssh/config line and it forces the SSH daemon to use Keychain.

The reason is that the latest updates comes bundled with an updated OpenSSH package that changes some default behaviour.

Prior to macOS Sierra, ssh would present a dialog asking for your passphrase and would offer the option to store it into the keychain. This UI was deprecated some time ago and has been removed.

Instead, a new UseKeychain option was introduced in macOS Sierra allowing users to specify whether they would like for the passphrase to be stored in the keychain. This option was enabled by default on macOS Sierra, which caused all passphrases to be stored in the keychain.

This was not the intended default behavior, so this has been changed in macOS 10.12.2.

OpenSSH updates in macOS 10.12.2

That solved it for me.



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.