How to use Mac OS X Keychain with SSH keys?
As of the Leopard release of OS X, ssh-agent is more tightly integrated with Keychain. It is possible to store the passphrases of all of your SSH keys securely in Keychain, from which ssh-agent will read them on startup. The bottom line is that it is simple to secure your keys with passphrases, but never have to type the passphrase to use them! Here is how:
Add the pass phrase to each ssh key to keychain: (option -k loads plain private keys only, skips certificates)
ssh-add -K [path/to/private SSH key]
(note that's a capital K)
Whenever you reboot your Mac, all the SSH keys in your keychain will be automatically loaded. You should be able to see the keys in the Keychain Access app, as well as from the command line via:
ssh-add -l
As of macOS Sierra, ssh-agent no longer auto-loads previously loaded ssh keys when you log in to your account. This is intentional on Apple part, they wanted to re-align with the mainstream OpenSSH implementation. [1]
As explained here, this is the recommended method since macOS 10.12.2:
Add the following lines to your
~/.ssh/config
file:Host * UseKeychain yes AddKeysToAgent yes
Any key you add to the ssh-agent using the
ssh-add /path/to/your/private/key/id_rsa
command will be automatically added to the keychain, and should be autoloaded upon reboot.
The following is deprecated (kept for reference).
To go back to the previous behavior, you'd want to run the ssh-add -A
command (which auto-loads all the ssh keys that have pass-phrases on your keychain) when you log in. To do that, follow these steps:
First, add all the keys you want to auto-load to the ssh-agent using the
ssh-add -K /absolute/path/to/your/private/key/id_rsa
command. The-K
argument ensures that the key pass-phrase is added to macOS's keychain. Make sure you use the absolute path to the key. Using a relative path will make the auto-launched script not to find your key.Make sure all of your keys are shown as added when you type
ssh-add -A
.Create a file called
com.yourusername.ssh-add.plist
in~/Library/LaunchAgents/
with the contents below. Plist files such as this one are used bylaunchd
to run scripts when you log in. [2] [3]<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.user.loginscript</string> <key>ProgramArguments</key> <array> <string>ssh-add</string> <string>-A</string> </array> <key>RunAtLoad</key> <true/> </dict> </plist>
Tell
launchd
to load the plist file you just created by executing:launchctl load ~/Library/LaunchAgents/com.yourusername.ssh-add.plist
.
And you should be all set.
There is a simpler way than Ricardo's answer to persist your password between sessions/restarts of your Mac running 10.12 Sierra.
ssh-add -K ~/.ssh/id_rsa
Note: change the path to where your id_rsa key is located.ssh-add -A
Create (or edit if it exists) the following
~/.ssh/config
file:Host * UseKeychain yes AddKeysToAgent yes IdentityFile ~/.ssh/id_rsa
Now the password is remembered between restarts!
Apple purposely changed the behaviour for ssh-agent in macOS 10.12 Sierra to no longer automatically load the previous SSH keys, as noted in this OpenRadar, Twitter discussion, and Technical Note from Apple. The solution above will mimic the old behaviour of El Capitan and remember your password.