How can I permanently add my SSH private key to Keychain so it is automatically available to ssh?

Question

It seems that ssh-add -K ~/.ssh/id_rsa will load your key but will ask for the password each time you reboot.

I am looking for a solution that would not require me to re-enter the key password between logins.

Can you say a little more about when the password prompt comes up for you? I ask because I have an ssh-key for a remote server, which I assure you is not the same as my Mac login password or anything, and I haven't had to enter the password for the ssh-key for years. I can just open up a terminal, type "ssh ", and I'm there. I think I first set this key up under OSX 10.5. id_dsa, but I don't think that should matter. — Michael H., Apr 13 '12 at 16:39
I also have the problem that I solved this so long ago that I can't remember exactly what I did. But I think the idea is to not run ssh-add, but just run ssh directly. You should get a window popping up that will as the pass phrase for the key, and with a checkbox to let you store it in your keychain. — Harald Hanche-Olsen, Apr 13 '12 at 18:19
@Sorin - so does mine! I had to enter it once, long ago, and the Mac has saved it for me ever since. Hopefully Harald's advice will help. — Michael H., Apr 13 '12 at 18:35
Do you mean the Keychain password (i.e. your login password) or the key's passphrase? If it's the latter, re your passphrases definitely stored in Keychain? You can check this by opening Keychain Access and looking for it in the login keychain. — Mathew Hall, Apr 20 '12 at 11:41
ssh - authorized_keys HOWTO http://www.eng.cam.ac.uk/help/jpmg/ssh/authorized_keys_howto.html — E1Suave, May 23 '12 at 19:01
I do these to solve it, ref: https://unix.stackexchange.com/a/560404/388990 Hope it works, thanks — Toni Firnandes, Jan 05 '20 at 03:33
I do these to solve it, ref: https://unix.stackexchange.com/a/560404/388990 Hope it works, thanks — Toni Firnandes, Jan 05 '20 at 03:35
@ToniFirnandes Those instructions you point to are outdated. One should use the accepted answer below. — oligofren, Feb 04 '22 at 05:55

trisweb · Accepted Answer · 2023-03-07T17:11:27.030

1298

It is not possible to add private key to Keychain, but you can store passphrase for private key in Keychain. On OSX, the native ssh-add command has a special argument to save the private key's passphrase in the OSX Keychain, which means that your normal login will unlock it for use with ssh. On OSX Sierra and later, you also need to configure SSH to always use the Keychain (see Step 2 below).

Alternatively you can use a key without a passphrase, but if you prefer the security that's certainly acceptable with this workflow.

Step 1 - Store passphrase in the Keychain

In the latest version of MacOS (12.0 Monterey), just do this once:

ssh-add --apple-use-keychain ~/.ssh/[your-private-key]

Or in versions of MacOS older than 12.0 Monterey, use:

ssh-add -K ~/.ssh/[your-private-key]

Enter your key passphrase, and you won't be asked for it again.

(If this fails, make sure you are using Apple's version of /usr/bin/ssh-add and not something installed with brew etc.; check with which ssh-add)

Step 2 - Configure SSH-agent to always use the Keychain

(Note: In versions of OSX prior to Sierra, this is not necessary)

It seems that OSX Sierra removed the convenient behavior of persisting your keys between logins, and the update to ssh no longer uses the keychain by default. Because of this, you need to change one more thing for secure persistent key storage.

The solution is outlined in this github thread comment. Here's what you do:

Ensure you've completed Step 1 above to store the passphrase in the keychain.
If you haven't already, create an ~/.ssh/config file. In other words, in the .ssh directory in your home dir, make a file called config.
In that .ssh/config file, add the following lines:
```
Host *
    UseKeychain yes
    AddKeysToAgent yes
    IdentityFile ~/.ssh/id_rsa
```
Change ~/.ssh/id_rsa to the actual filename of your private key. If you have other private keys in your ~/.ssh directory, also add an IdentityFile line for each of them. For example, I have one additional line that reads IdentityFile ~/.ssh/id_ed25519 for a 2nd private key.

The UseKeychain yes is the key part, which tells SSH to look in your OSX keychain for the key passphrase.
That's it! Next time you load any ssh connection, it will try the private keys you've specified, and it will look for their passphrase in the OSX keychain. No passphrase typing required.

edited Mar 07 '23 at 17:11

answered Aug 26 '16 at 01:06

trisweb

13,096

2

This almost worked for me. My "login" keychain already had automatic locking disabled, so Matthew Sanabria's answer did not apply. Using ssh-add -K ... added the keys to the ssh agent without prompting for a password, but only for the current session. After a reboot, I had to reissue the command. – Poulsbo Dec 16 '16 at 07:08
1

Somehow I do the ssh-add -K and it works for a while and then suddenly starts prompting me for a password again. Not sure if this is to do with iterm or oh my zsh updates? – Abram Dec 27 '16 at 01:32
8

@Poulsbo & @Abram -- see my update, Sierra changed the automatic behavior and now you have to run ssh-add -A manually to load your saved keychain. Some possible solutions referenced above. – trisweb Jan 03 '17 at 22:20
3

@trisweb Thanks for the tip. joshbuchea's solution of modifying the .ssh/config file looks promising! See https://github.com/lionheart/openradar-mirror/issues/15361#issuecomment-270242512 – Poulsbo Jan 06 '17 at 21:19
1

@trisweb check previous comment, I think that this may be good workaround for the need to run ssh-add in bash login, especially as not everyone is using bash shell. Please update the answer once you have the confirmation that it works. – sorin Jan 11 '17 at 16:14
2

@sorin see the updated answer, and let me know if you have any feedback. Thanks! – trisweb Jan 11 '17 at 19:53
2

Editing 'config' works great on MacOS, but fails under Linux (Bad configuration option: UseKeychain). Is there a way to write one config file that works on both? – wcochran Feb 22 '17 at 20:17
19

Works great! In my case I needed to use the A flag in addition to the K one to add my keys to the keychain and register the passphrase into it (ssh-add -AK ~/.ssh/[your-private-key]). Thanks! – youssman Mar 07 '17 at 22:28
@wcochran I too am running into this one. This really throws a wrench into plans to keep dotfiles common across platforms. – ctt May 27 '17 at 06:52
1

One thing to remember about these: It's NOT in the OpenSSH upstream, only in the Apple [Mm]acOS(X) versions.
There are recipes elsewhere how to get the /usr/bin/ssh-add auto add the keys, so that /usr/local/bin/ssh (OpenSSH via brew etc.) can use the user-agent
– Hvisage Jun 01 '17 at 13:59
Got message on macOS 10.13.2: Bad configuration option: usekeychain. – Jan 10 '18 at 14:05
4

@wcochran and @ctt - in Apple's Technical Note OpenSSH updates in macOS 10.12.2, they advise using IgnoreUnknown UseKeychain for cross-compatibility. – Ben Creasy Feb 18 '18 at 23:45
7

Even with the usekeychain option, I still find that my keychain will drop the .ssh/id_rsa key on reboot. – Chogg May 02 '18 at 18:39
12

I did exactly the same and my Mac still drops the key on reboot. – Ernest Zamelczyk Nov 22 '18 at 08:57
1

New Mac -- there's no A or K flag, still have to do it every time I reboot – Kerry Jones Apr 01 '19 at 20:56
Sadly this anwer is no longer valid, there is no more option K – Matteo Sep 19 '19 at 07:15
1

@Matteo -- double-check that you're using the Apple version of ssh-add; if you've installed Homebrew or another SSH then it may be overriding it. Use which ssh-add to find out which one; the Apple version is at /usr/bin/ssh-add. Make sure /usr/bin has priority in your $PATH if this is the case. – trisweb Sep 19 '19 at 11:50
1

@trisweb Just check the apple release notes, they aligned with the rest of the world and there is no more a K or A option – Matteo Sep 20 '19 at 11:02
@Matteo I've installed Catalina, and the ssh-add -K option is still present and works fine. Double-check you're using the right ssh-add or if there's any other difference in your environment. – trisweb Oct 12 '19 at 14:53
@triswed very good, I don't plan on switching to catalina just to have that tho – Matteo Oct 16 '19 at 12:12
1

@Matteo it's present on all MacOS versions prior to Catalina as well; it continues to be present on Catalina. No worries. – trisweb Oct 17 '19 at 00:00
I can confirm that this still works in Catalina. The IdentityFile isn’t strictly required if the default key names are used. – Franklin Yu Mar 31 '20 at 04:57
Does anyone know a way tp specify what keychain the password will get stored in? – v01pe Sep 17 '20 at 10:36
As @youssman mentioned, I also needed to use the -AK flags because in OS Catalina 10.15.6 using only -k flag only stores one key at a time, no matter how many times I added it, only one was saved when consulting them with ssh-add -l. – alexventuraio Sep 29 '20 at 04:11
@Matteo's comment is crucial: Make sure you are using /usr/bin/ssh-add -K! – mforbes Sep 26 '21 at 00:17
1

In Monterey, -K seems to have been replaced by --apple-use-keychain. – Nirro Nov 10 '21 at 17:26
1

Thanks for posting this! BTW on macOS Monterey these options are now called --apple-load-keychain and --apple-use-keychain, and a large WARNING is printed if you try to use the old names. This is because upstream SSH added -K as a new option to “load resident keys from a FIDO authenticator.” – andrew Nov 19 '21 at 17:26
I did that and it works, but for some reason when I ssh I am not asked the keychain password, not even the first time. I was under the impression adding to the keychain kept the passphrase encrypted, so people who gain access to my machine and can copy all of my encrypted private keys can't also copy the passphrase? – doplumi Jun 07 '22 at 16:02
5

I had to also add ssh-add --apple-load-keychain 2> /dev/null to my `.zshrc to get this to work on reboots. – aiguofer Dec 15 '22 at 23:28
This doesn't work at all, and the example config file has really weird indentation. – Andrew Koster Feb 15 '23 at 22:27
What happens if I add a key via ssh-add --apple-use-keychain that doesn't have a passphrase? – Dan Mar 06 '23 at 16:21
wow, learned something today, I thought ssh-add --apple-use-keychain has to be called every single time on shell boot. I was so dumb – Pencilcheck Mar 11 '23 at 06:40

score 56 · Answer 2 · edited Mar 31 '20 at 06:12

I had a similar problem, in that I was being asked every time for my pub-key passphrase. Per suggestion of user "trisweb" above, I turned on these options to ~/.ssh/config:

Host *
  UseKeychain yes
  AddKeysToAgent yes
  IdentityFile ~/.ssh/id_rsa

But it still prompted every time I wanted to use ssh. Eventually I turned on ssh -v and found this debug line:

debug1: key_load_private: incorrect passphrase supplied to decrypt private key

I then opened my keychain in "Keychain Access.app", found the key named "SSH: /Users/username/.ssh/id_rsa" and opened it up. I clicked "Show password" to disclose the password and indeed found that the passphrase in the keyring was an old passphrase. I updated the passphrase in Keychain Access, and now password-free works.

I could have also updated the passphrase with this phrase:

ssh-keygen -p -f ~/.ssh/id_rsa

In my Mac the password is saved in “password” category of “iCloud” chain. I thought it was in “log in” chain. — Franklin Yu, Mar 31 '20 at 04:53
It's not asking for a pub-key passphrase. You mean private-key passphrase. If public keys had passphrases then they would not be "public" keys. — Steven the Easily Amused, May 18 '23 at 21:40

score 37 · Answer 3 · edited Sep 27 '21 at 19:51

37

To all where the above did not work, my issue appears to have been because I was duplicating the UseKeychain yes & AddKeysToAgent yes in all ssh key profiles / shortcuts. I updated my ~/.ssh/config file to declare these only once and they now all load on login without prompting for passwords on startup, e.g:

Host foo
  HostName foo.com
  User fooUser
  IdentityFile ~/.ssh/foo
Host bar
  HostName bar.com
  User barUser
  IdentityFile ~/.ssh/bar
########################
Keep the default configuration
as the last item in this file
Host *
  UseKeychain yes
  AddKeysToAgent yes
  IdentityFile ~/.ssh/foo
  IdentityFile ~/.ssh/bar

edited Sep 27 '21 at 19:51

Derek

103

answered Aug 13 '18 at 02:07

Andrew

481

5

I would recommend Host * be after specific host rules. See man ssh_config for details. – Franklin Yu Mar 31 '20 at 04:31
1

Thank you so much for this. Where are the docs for this i.e. how did you work this out? – James Owers Jun 15 '21 at 16:06
1

...actually, this did not work for me: I have a setup where Host bar has HostName foo.com too (i.e. two different configs for the same site). IdentityFile ~/.ssh/foo was always used. To fix, I had to move the Host * section to the bottom, as @FranklinYu suggests. I think this is because

For each parameter, the first obtained value will be used.

https://linux.die.net/man/5/ssh_config
– James Owers Jun 18 '21 at 03:34

score 21 · Answer 4 · edited Feb 04 '22 at 08:13

Also, in macOS Sierra and High Sierra (don't know about previous versions), running ssh-add -A will get the agent to load all keys whose passphrases are stored on Keychain... So very handy

Note that these option flags have been renamed and the old ones deprecated in later versions of macOS. From the ssh man page:

APPLE_SSH_ADD_BEHAVIOR
Enables or disables the older processing of the -A and -K options used in earlier macOS releases. These options have been renamed --apple-load-keychain and --apple-use-keychain respectively.
However, -A and -K still behave as in earlier releases except in the following circumstances:

If a security provider was specified with -S or SSH_SK_PROVIDER, or if APPLE_SSH_ADD_BEHAVIOR is set to the value “openssh”, then ssh-add uses standard OpenSSH behavior: the -A flag is not recognized and the -K flag behaves as documented in the DESCRIPTION section above.

Otherwise, ssh-add -A and -K will behave as in earlier macOS releases. A warning will be output to standard error unless APPLE_SSH_ADD_BEHAVIOR is set to the value “macos”. Note: Future releases of macOS will not support neither -A nor -K without setting this environment variable.

This is not needed if one just configures ssh correctly, as per the accepted answer. — oligofren, Feb 04 '22 at 05:42

score 16 · Answer 5 · edited Jan 10 '22 at 15:58

16

Answer on OSX 12.0 Monterey

You can now use the flag --apple-use-keychain to accomplish exactly this.

ssh-add --apple-use-keychain ~/.ssh/id_rsa

Add this to your .zshrc or .bashrc file to have it load from your keychain on new logins / terminal instances.

This replaces the -K and -A flags:

WARNING: The -K and -A flags are deprecated and have been replaced
         by the --apple-use-keychain and --apple-load-keychain
         flags, respectively.  To suppress this warning, set the
         environment variable APPLE_SSH_ADD_BEHAVIOR as described in
         the ssh-add(1) manual page.

edited Jan 10 '22 at 15:58

froboy

3

answered Dec 17 '21 at 19:42

Greg Kaleka

261

2

This is redundant if just configuring ssh correctly once, as per the accepted answer. – oligofren Feb 04 '22 at 05:46
this option no longer exists... – airtonix Feb 10 '22 at 22:32
@airtonix what os version are you on? Works fine for me on 12.1. – Greg Kaleka Feb 11 '22 at 01:25
3

Same here, I had to add ssh-add --apple-load-keychain -q to my .zshrc file. – alexventuraio Nov 08 '22 at 22:00

score 2 · Answer 6 · answered Jul 02 '23 at 23:52

See the answer from @Trisweb above - https://apple.stackexchange.com/a/250572/231343. When I try this, for some reason I get the message ssh-add: illegal option when I use the --apple-use-keychain option (I'm using macOS Ventura 13.4.1)

The -K option is in Apple's standard version of ssh-add, I was able to use it, although when I try ssh-add -K ~/.ssh/my_private_key, I'm prompted for a PIN, so I needed:

/usr/bin/ssh-add -K ~/.ssh/my_private_key

Apparently you can also use the -k option instead of -K, which will prompt you for the private key passphrase that you set up when creating the keys.

score 0 · Answer 7 · edited Sep 21 '23 at 14:01

0

I have added the two lines below to the ~/.bash_profile file and it worked on macOS Monterey.

eval "$(ssh-agent -s)"
ssh-add --apple-use-keychain ~/.ssh/id_ed25519

edited Sep 21 '23 at 14:01

agarza

2,274

answered Sep 21 '23 at 06:31

Velu

101

Artur Didur · Answer 8 · 2022-09-24T12:48:52.947

-3

One of solutions is to delete .ssh from path. Like this - "ssh-add --apple-use-keychain ~/id_ed25519" or "ssh-add --apple-use-keychain ~/[YOURS ID OF SSH]"

Also you need to change path in ~/.ssh/config by deleting /.ssh

edited Sep 24 '22 at 12:48

answered Sep 24 '22 at 12:17

Artur Didur

1

This is misleading at best and confused at worst. The file name should obviously point to the actual file name of the key file; but probably don't store your keys in your home directory. The .ssh directory is the customary location, and usually has stricter permissions than what is customary or practical for home directories. – tripleee Aug 21 '23 at 10:05

score -4 · Answer 9 · answered Apr 20 '12 at 11:04

-4

Add the public key in:

.ssh/known_hosts

Public key usually are on:

/home/user/.ssh/id_rsa.pub

Hope that helps

answered Apr 20 '12 at 11:04

lluisi

55
3

9

I think mean the authorized_keys – Rene Larsen May 23 '12 at 18:47
Anyway, this doesn't work if you have more than one key! – sorin May 24 '12 at 10:01

How can I permanently add my SSH private key to Keychain so it is automatically available to ssh?

9 Answers9

Step 1 - Store passphrase in the Keychain

Step 2 - Configure SSH-agent to always use the Keychain

Keep the default configuration

as the last item in this file

Answer on OSX 12.0 Monterey

Linked