jirsbek / ssh-keys-in-macos-sierra-keychain Goto Github PK

Ok, so I recently upgraded to High Sierra and ran into this fun little issue about SSH keys no longer being saved to the keychain or automatically being added to the ssh-agent...

I have read dozens and dozens of articles, blogs and forum posts and I have tried everything they have suggested to no avail. No matter what I do, whenever I reboot, I am forced to manually run: ssh-add -K ~/.ssh/id_rsa and then manually enter my passphrase, even though my ~/.ssh/config file contains the UseKeyChain yes and AddKeysToAgent yes, and I can see my ssh key and passphrase saved to my login keychain.

I tried to create a .plist file to run ssh-add -A on startup, but I always get the error message: No identity found in the keychain even though I can see it when I run ssh-add -l

JBARKER-01:~ joshua.barker$ ssh-add -l
2048 SHA256:<xxx> /Users/joshua.barker/.ssh/id_rsa (RSA)
JBARKER-01:~ joshua.barker$ ssh-add -A
No identity found in the keychain.

~/.ssh/config

JBARKER-01:~ joshua.barker$ cat ~/.ssh/config
Host *
  IdentityFile ~/.ssh/id_rsa
  UseKeyChain yes
  AddKeysToAgent yes

Host localhost
  UseKeyChain yes
  AddKeysToAgent yes
  HostName localhost
  IdentityFile ~/.ssh/localhost_id_rsa

Host 0.0.0.0
  UseKeyChain yes
  AddKeysToAgent yes
  HostName 0.0.0.0
  IdentityFile ~/.ssh/localhost_id_rsa

I am currently on Mac OSX High Sierra 10.13.4 (17E202) and have OpenSSH_7.6p1, LibreSSL 2.6.2.

As best I can tell, either the SSH agent or the OS is ignoring the SSH key is stored in my keychain and/or is ignoring my config settings.

I have tried everything I can think of... any help would be greatly appreciated... Thanks!

Please see https://developer.apple.com/library/content/technotes/tn2449/_index.html

Hi,

If you install a more recent SSH version via (e.g.) brew one might get the:

$ ssh-add -K
ssh-add: illegal option -- K

Pass the full path to ssh-add (/usr/bin/ssh-add) to work around this problem.

When using agent forward to connect with one key to a bastion server and then with different keys to other servers the sequence of keys in the ssh_config file is important.
e.g.:

Host *
IdentityFile ~/.ssh/KEY_1.pem
IdentityFile ~/.ssh/KEY_2.pem
IdentityFile ~/.ssh/KEY_3.pem
AddKeysToAgent yes
UseKeychain yes
ForwardAgent yes

If the first server I am connecting to already authenticates with KEY_1.pem the others do not get added to the ssh-agent. To achieve that I had to switch the order to:

Host *
IdentityFile ~/.ssh/KEY_2.pem
IdentityFile ~/.ssh/KEY_3.pem
IdentityFile ~/.ssh/KEY_1.pem
AddKeysToAgent yes
UseKeychain yes
ForwardAgent yes

which then allowed me to have all 3 identities added to the ssh agent.

So I'd recommend adding a note, that in case you have more than 3 identities, you'll need to use solution number 2.

I would like to make a formal request for a updated version of they wonderfully made and wel thought out little "shin dig" as they say in the lower projects of south queens -101 degrees + 42 lat. +/-24.43m _,,,,,,,,,

           .oIIII888888888888o
        .o88IIIII888888888888Wm
      .o88888III888888888888WMN88.
     d888888888888888888888WMN8888o.
   .d88888888II888888888888MN8888888o.
   888888888888888888II888WMM8888888IIb
  d88888888888888888888888MM888AAIIIIIIb
 .88888888888888888888888W8M8IIIIIUU8888b
 8888888888888888888888P dP`8888888888888.
I888888888888888888888P I I YI888888888888
88888888888888888888P'    Ib Y888888888888
8888888888888888888"      d' `"8"88888WWWW
"8888888" """             '       YMMMMMMP
 WWWP                             `MMMMMM
 MMM  _,,_             .o88888o.   IMMMM'
 IMM 8*""*88b         "Y"'         IMMM~`.
 `YM     ,oo,`:.       ,`db`-.     `MP ~.|
 ( Y,  .'`YP b ::       "YY"~'      P.  ||
 `,`"   ~~~~'  ::                  |  ` ||
  ||A          ::                  | .' ||
  ||;Y         :'                  |'    /
  `. |       .'"     `.~`.         |   _'
   `.|       ;.-.  ,-.'   \        |`-'
     `:.    /    ""        \      .'
      |:   |._         _.-'|\     |
      `:.  `\ `"""--""'          .|
       `::.  \     __           .:|
         \:.  \   '            ::'|
          \:.                .::' |
          |:..             .::'   |
          |`::.          .::'     |
          |  `::..    ..::'       |
          `.   `::::::::'         |
           |      `"""'           |

It looks like from http://testequals.com/2016/09/09/macos-sierra-10-12-ssh-keys/ Update 2, that this is now all that is needed to add keys back to the Keychain:

Host *
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/[your-private-ssh-key-name]
``

Just in case anyone comes across this, I have found that I had to delete my old keychain entries with ones that referenced their absolute paths. e.g.

ssh-add -d -K .ssh/keyfile
ssh-add -K /Users/me/.ssh/keyfile

I can neither run ssh-add -K nor -A, both throw "illegal option".

If you are seeing the "Bad configuration option: usekeychain" error during a git command, it may be because Git isn't running the Apple-installed version of SSH. To ensure that you know which version of ssh is called from git, set an environment variable:

GIT_SSH="/usr/bin/ssh"

More generally, any wrapper of SSH could cause this kind of error. So I'd suggest checking which SSH binary is actually called.

Can't the same effect be accomplished by just specifying this at the top of the config file:

AddKeysToAgent=yes
UseKeychain=yes

Seems to be working for me, even though I haven't rebooted yet.