macOS Sierra, ssh key passphrase, and the Keychain

Tell macOS Sierra to stop Keychaining ssh key passphrase.

The behavior of ssh, ssh-agent and ssh-add, changed in macOS Sierra. There is no GUI pop up asking for ssh key passphrase to store the identity in ssh-agent. Instead, ssh asks you for the passphrase via command line prompt, then stores the passphrase in the Keychain. The worst part is, there’s no clue to delete that via Keychain Access. This isn’t quite right. Usually we expect ssh-agent stores our keys only, and the system will forget the identity after reboot. The concept is, the program can only remember the key but not the passphrase.

For people who want the old behavior, simply put these three lines in your ~/.ssh/config:

Host *
  UseKeychain no
  AddKeysToAgent yes

UseKeychain is a macOS only parameter, default yes. AddKeysToAgent is a new parameter introduced in OpenSSH 7, default no.

How about the passphrase previously stored in the Keychain?

First, using ssh-add to load your key into the agent again.
Then, using ssh-add -K -d to delete the key in agent and the passphrase in Keychain. Finally, using ssh-add -K to make sure nothing will be automatically loaded.

For those who still feel unhappy, find these files by find and delete them:

cd ~
find ./ -name "keychain-2.db*"

Though there’re some other stuff encrypted in it. Make sure there’s a backup before delete them.