Monday, December 19, 2016 [Tweets] [Favorites]

macOS 10.12.2: SSH Starts Asking for id_rsa Passphrase

I have an id_rsa file set up so that I can SSH and Git into my servers. The SSH keys are protected by a passphrase. ssh-agent remembers the passphrase so I don’t have to keep entering it, and it can get the passphrase from the Mac keychain so that I don’t have to enter it at all. When I updated to macOS 10.12.2, I was suddenly being prompted for the passphrase again. It seems that macOS 10.12 added a new UseKeychain option for ssh, but this didn’t affect me because it defaulted to on. As of macOS 10.12.2, it defaults to off. There was also a change in macOS 10.12 that meant keys were no longer automatically added to the agent. I don’t think this affected me because mine had already been added and I didn’t start using any new servers.

Anyway, to get back to the behavior I like where auto-login works, I set up my .ssh/config file as:

Host *
  UseKeychain yes
  AddKeysToAgent yes

Update (2016-12-22): Apple Technical Note TN2449:

Prior to macOS Sierra, ssh would present a dialog asking for your passphrase and would offer the option to store it into the keychain. This UI was deprecated some time ago and has been removed.

Instead, a new UseKeychain option was introduced in macOS Sierra allowing users to specify whether they would like for the passphrase to be stored in the keychain. This option was enabled by default on macOS Sierra, which caused all passphrases to be stored in the keychain.

This was not the intended default behavior, so this has been changed in macOS 10.12.2. To store passphrases in the keychain, set this option in your ssh configuration file[…]

4 Comments

After I upgraded to Sierra (went straight to 10.12.2) I was asked for my SSH key passphrase after every time I rebooted. Previously the passphrase was read from the keychain when needed, but that doesn't happen anymore in Sierra. It was especially annoying since I had ExpanDrive auto-mounting volumes on boot. I tried many solutions but the one that worked for me to restore the previous behaviour was the .plist that jirsbek published. (Any kind of .bash_profile solution that was initiated only when the Terminal opened was not enough, because ExpanDrive.)

Having multiple SSH keys with custom names, in addition to your configuration I had to add:

`IdentityFile ~/.ssh/path_to_SSH_key`

for every key that I wanted added to `ssh-agent`

Even with "AddKeysToAgent yes" I can't get my keys added automatically; like Adrian B above, I need to run ssh-add -A.

Also noticed some fun bugs when I try to add the same identity via two different paths (e.g. ~/.ssh/id_rsa and just id_rsa). They initially show up as two separate entries, but then eventually deleting one deletes the other after a logout/login.

Sure finding a lot of reasons to stay on 10.11! Unfortunately "IgnoreUnknown" doesn't work with OpenSSH 6.2, which comes with 10.10.5, so I need to fork my .ssh/config file.

[…] Laut Michael Tsai hat macOS 10.12 eine neue UseKeychain-Option eingeführt, die bislang standardmäßig aktiv war, […]

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment