It used to remember the passphrase, but now it's asking it to me each time.
I've read that I need to regenerate the public key with this command, which I did:
ssh-keygen -y -f id_rsa > id_rsa.pub
but it didn't fix anything.
How can I make macOS remember my passphrase again?
In the latest version of macOS (10.12.2), this is easy to fix. Just edit your ~/.ssh/config and enable the UseKeychain option:
Host *
UseKeychain yes
There is no need to change anything else. Now everything works the way it used to work before the latest updates. You do not need to add keys to ssh-agent.
Edit: You may still need to enter your passphrase once. If you don't know it, follow these instructions to reveal it.
I had the same problem. MacOS Sierra keychain keeps asking for the passphrase. Your id_rsa should be encrypted with a passphrase for security. Then try adding it to the keychain ssh-add -K ~/.ssh/id_rsa
If your key is in another folder than ~/.ssh then substitute with the correct folder.
Keychain now knows your ssh key and, hopefully, all works now (mine did)
This fixed my similar issue:
/usr/bin/ssh-add -K
This stores passphrases in your keychain.
Update (thanks @EasyCo):
This works but does not persist between restarts. @jukka-suomela's solution on this page does work across restarts. You can find that answer here.
Second update (thanks @user5359531):
In macOS Sonoma 14.x:
WARNING: The -K and -A flags are deprecated and have been replaced
by the --apple-use-keychain and --apple-load-keychain
flags, respectively. To suppress this warning, set the
environment variable APPLE_SSH_ADD_BEHAVIOR as described in
the ssh-add(1) manual page.
I only had to enter the correct passphrase once and it started working. The problem was that I didn't remember my original SSH passphrase, but I recovered it by following these steps from Github:
One fix is to add the following to your ~/.ssh/config file:
Host *
AddKeysToAgent yes
IdentityFile ~/.ssh/id_rsa
UseKeychain yes
Taken from: https://www.reddit.com/r/osx/comments/52zn5r/difficulties_with_sshagent_in_macos_sierra/ Also see: https://apple.stackexchange.com/a/264974/3810
None of the above solutions worked after installing Sierra over El Capitan on a new MacBook Pro. Sierra by design does not save SSH keys in the keychain.
Two solutions worked for me. One is to add the command ssh-add -A &> /dev/null to ~/.bash_profile. Every time you open the terminal, this command will be executed (the &> /dev/null part sends the output of the command the file /dev/null).
A more complicated but slightly slicker solution is to create a plist with the command that is executed every time the OS is booted as suggested in Saving SSH keys in macOS Sierra keychain. This involves using Xcode to create the file.
I tried multiple answers here, but was still having issues with remote keys passing (such as when using capistrano). To solve it, I read the technote from apple and made this my config file. No more asking for my password!
https://developer.apple.com/library/content/technotes/tn2449/_index.html
Host * IdentityFile ~/.ssh/id_rsa IgnoreUnknown UseKeychain UseKeychain yes AddKeysToAgent yes
This morning, I had the same problem as you after updating to Sierra. In my case, the id_rsa file was encrypted and after decrypting it was working like a charm.
id_rsa file is encrypted with the following command: cat ~/.ssh/id_rsa | head -2Proc-Type: 4,ENCRYPTED, it's encrypted and you could try decrypting itid_rsa file! Use the command cp ~/.ssh/id_rsa ~/.ssh/id_rsa.bakopenssl rsa -in ~/.ssh/id_rsa -out ~/.ssh/id_rsa.decryptedrm ~/.ssh/id_rsa) and replace it with the decrypted one: mv ~/.ssh/id_rsa.decrypted ~/.ssh/id_rsaAfter these steps, you should be able to use ssh again.
I started suffering from the same problem using MacOS Monterrey. I just noticed that when I tried to add my key using:
/usr/bin/ssh-add -K /path/to/my-key
I saw this:
WARNING: The -K and -A flags are deprecated and have been replaced
by the --apple-use-keychain and --apple-load-keychain
flags, respectively. To suppress this warning, set the
environment variable APPLE_SSH_ADD_BEHAVIOR as described in
the ssh-add(1) manual page.
So I used:
/usr/bin/ssh-add --apple-use-keychain /path/to/my-key
Added this answer if someone else is suffering from this using MacOS Monterrey.
I had this issue as well when attempting to deploy some code using Capistrano. Very frustrating. Here are two methods I know of to deal with this issue.
So one solution I found is to run ssh-add with the -A option—which adds all known identities to the SSH agent using any passphrases stored in your keychain—like this:
ssh-add -A
Now this works but it won’t persist across reboots. So if you want to never worry about this again, just open up your user’s ~/.bash_profile file like this:
nano ~/.bash_profile
And add this line to the bottom:
ssh-add -A 2>/dev/null;
Now when you open a new Terminal window, all should be good!
So while the ssh-add -A option should work for most basic cases, I ran into an issue recently where I had 6-7 Vagrant boxes (which uses SSH keys/identities for access) setup on a machine on top of the more common id_rsa.pub in place.
Long story short, I ended up being locked out of a remote server due to too many failed tries based on SSH keys/identities since the server access was based on a password and SSH keys/identities are SSH keys/identities. So the SSH agent tried all of my SSH keys, failed and I couldn’t even get to the password prompt.
The problem is that ssh-add -A will just arbitrarily add every single SSH key/identity you have to the agent even if it’s not necessary to do so; such as in the case of Vagrant boxes.
My solution after much testing was as follows.
First, if you have more SSH keys/identities added to your agent than you need—as shown with ssh-add -l then purge them all from the agent like so:
ssh-add -D
With that done, then start the SSH agent as a background process like so:
eval "$(ssh-agent -s)"
Now, it gets weird and I am not too sure why. In some cases you can specifically add the ~/.ssh/id_rsa.pub key/identity to the agent like so:
ssh-add ~/.ssh/id_rsa.pub
Type in your passphrase, hit Return and you should be good to go.
But in other cases simply running this is enough to get the key/identity added:
ssh-add -K
If that’s all worked, type in ssh-add -l and you should see one lone SSH key/identity listed.
All good? Now open up your .bash_profile:
nano ~/.bash_profile
And add this line to the bottom; comment or remove the -A version if you have that in place:
ssh-add -K 2>/dev/null;
That will allow the SSH key/identity to be reloaded to the SSH agent on each startup/reboot.
UseKeychain option to the open SSH config options and considers ssh-add -A a solution as well.As of macOS Sierra 10.12.2, Apple (I assume) has added a UseKeychain config option for SSH configs. Checking the man page (via man ssh_config) shows the following info:
UseKeychain
On macOS, specifies whether the system should search for
passphrases in the user's keychain when attempting to use a par-
ticular key. When the passphrase is provided by the user, this
option also specifies whether the passphrase should be stored
into the keychain once it has been verified to be correct. The
argument must be ``yes'' or ``no''. The default is ``no''.
Which boils down to Apple seeing the solution as either adding ssh-add -A to your .bash_profile as explained in this Open Radar ticket or adding UseKeychain as one of the options in a per user ~/.ssh/config.
Jukka Suomela's answer is correct, but if you are using openssh installed from homebrew, then you also need to uninstall it with:
brew remove openssh
...to switch back to system default openssh, because homebrew's one doesn't support UseKeychain ssh config entry.
You need a .plist file added to ~/Library/LaunchAgents/ to run ssh-add -A on every startup of macOS.
There's a single command which does this (from SSH-keys-in-macOS-Sierra-keychain):
curl -o ~/Library/LaunchAgents/ssh.add.a.plist https://raw.githubusercontent.com/jirsbek/SSH-keys-in-macOS-Sierra-keychain/master/ssh.add.a.plist
I tried all solutions suggested here, but I don't have keychain set up in my Mac.
Adding to following line at top .ssh/config file on both the local and the remote machine worked for me.
PubkeyAcceptedKeyTypes=+ssh-dss
Updated for Sonoma 14.x...
I was able to add my SSH key to Tower without being repeatedly asked for the password by running this in Terminal:
ssh-add --apple-use-keychain ~/.ssh/id_ed25519
In Mac's newest OS, "The -K and -A flags are deprecated and have been replaced by the --apple-use-keychain and --apple-load-keychain flags, respectively."
You should not need to add/modify ~/.ssh/config using this solution.
I am using the version of ssh that is bundled with macOS and I have found that, at least on macOS 14.x Sonoma and macOS 15.x Sequoia, attempting to use ssh-add --use-apple-keychain will work initially, but at some point later it will suddenly start asking for the passphrase again. It's not clear what causes it to stop working -- it seems like it might be after installing an OS update (maybe after the bundled version of ssh is updated?) The passphrase is still saved in my Keychain and the file still exists in ~/.ssh/.
Previously I have fixed this by going through the ssh-add --use-apple-keychain dance again, but I discovered that updating ~/.ssh/config as described above with the UseKeychain option will make it start working again.
Host my-hostname.local
UseKeychain yes
In my case, ssh asked for passprase, because i tried to connect without specifying a username:
ssh hostname.com
Remote host considers it as connecting under root. Fixed using my remote host username:
ssh username@hostname.com
