macOS Sierra, ssh key passphrase, and the Keychain

Tell macOS Sierra to stop Keychaining ssh key passphrase.

The behavior of ssh, ssh-agent and ssh-add, changed in macOS Sierra. There is no GUI pop up asking for ssh key passphrase to store the identity in ssh-agent. Instead, ssh asks you for the passphrase via command line prompt, then stores the passphrase in the Keychain. The worst part is, there’s no clue to delete that via Keychain Access. This isn’t quite right. Usually we expect ssh-agent stores our keys only, and the system will forget the identity after reboot. The concept is, the program can only remember the key but not the passphrase.

For people who want the old behavior, simply put these three lines in your ~/.ssh/config:

Host *
  UseKeychain no
  AddKeysToAgent yes

UseKeychain is a macOS only parameter, default yes. AddKeysToAgent is a new parameter introduced in OpenSSH 7, default no.

How about the passphrase previously stored in the Keychain?

First, using ssh-add to load your key into the agent again.
Then, using ssh-add -K -d to delete the key in agent and the passphrase in Keychain. Finally, using ssh-add -K to make sure nothing will be automatically loaded.

For those who still feel unhappy, find these files by find and delete them:

cd ~
find ./ -name "keychain-2.db*"

Though there’re some other stuff encrypted in it. Make sure there’s a backup before delete them.

Advertisements

3 thoughts on “macOS Sierra, ssh key passphrase, and the Keychain

  1. Thanks so much for posting this. I had an issue where agent-forwarding suddenly stopped working (from a mac to a linux box – which has an older version of OpenSSH, but I think that’s irrelevant). Re-enabling the local agent as per your directions solved the problem.

    Like

  2. By default macOS Sierra stores your passphrase in Keychain, not your identity in ssh-agent. This breaks agent-forwarding as well. Although, I believe Apple did that for a reason: to bypass new OpenSSH restriction.

    Since OpenSSH v7, DSA keys support is off by default. Which means ssh-agent won’t load your old DSA key, unless turn on the option in ~/.ssh/config.

    Ref: http://www.openssh.com/legacy.html

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s