Apple - macOS 10.12 Sierra will not forget my ssh keyfile passphrase
To disable storing passphrase in keychain you should add following lines to ~/.ssh/config file:
Host *
UseKeyChain no
If you already have passphrase stored in keychain you can delete it using commands:
cd ~/Library/Keychains/<UUID>/
sqlite3 keychain-2.db 'delete from genp where agrp="com.apple.ssh.passphrases"'
If you would like to have a behavior like in OS X El Capitan or earlier (i.e. passphrase stored until logout or restart) simply add to ~/.ssh/config:
AddKeysToAgent yes
You don't need to start ssh-agent.
Thanks to Clive, I have a better understanding of this new 'feature'. When you type in your passphrase Sierra adds it to your Keychain but not to the ssh-agent. If your identity isn't in ssh-agent there is no way to manage it with ssh-add
. To manage (ie. remove) your identity from Keychain you need to add your identity to ssh-agent
by using ssh-add
. Once you have added your identity to ssh-agent
you can use ssh-add -K -d
to remove it from both ssh-agent
and Keychain. If you want your identity to be added to ssh-agent every time you use ssh add:
AddKeysToAgent yes
to your .ssh/config
. This will ensure that ssh-agent
always has your identity.
ssh-add -K -d
This can remove passphrases previously stored in the keychain. Since macOS 10.12 Sierra, to avoid the passphrase stored in the keychain again, be sure to do ssh-add
first.