Apple - macOS 10.12 Sierra will not forget my ssh keyfile passphrase

To disable storing passphrase in keychain you should add following lines to ~/.ssh/config file:

Host *
UseKeyChain no

If you already have passphrase stored in keychain you can delete it using commands:

cd ~/Library/Keychains/<UUID>/
sqlite3 keychain-2.db 'delete from genp where agrp="com.apple.ssh.passphrases"'

If you would like to have a behavior like in OS X El Capitan or earlier (i.e. passphrase stored until logout or restart) simply add to ~/.ssh/config:

AddKeysToAgent yes

You don't need to start ssh-agent.


Thanks to Clive, I have a better understanding of this new 'feature'. When you type in your passphrase Sierra adds it to your Keychain but not to the ssh-agent. If your identity isn't in ssh-agent there is no way to manage it with ssh-add. To manage (ie. remove) your identity from Keychain you need to add your identity to ssh-agent by using ssh-add. Once you have added your identity to ssh-agent you can use ssh-add -K -d to remove it from both ssh-agent and Keychain. If you want your identity to be added to ssh-agent every time you use ssh add:

AddKeysToAgent yes

to your .ssh/config. This will ensure that ssh-agent always has your identity.


ssh-add -K -d

This can remove passphrases previously stored in the keychain. Since macOS 10.12 Sierra, to avoid the passphrase stored in the keychain again, be sure to do ssh-add first.