Nik Kantar

Wednesday, December 28, 2016

SSH Agent on macOS Sierra 10.12.2

How to make ssh-agent remember passphrases on macOS Sierra 10.12.2.

Two weeks ago Apple released macOS Sierra 10.12.2. Departing from my usual modus operandi, I’ve been lagging this time around, and just updated my work machine this morning, only to find that ssh-agent was no longer remembering my passphrases.

After some confusion, I discovered that 10.12.2 brought updates to OpenSSH that changed some of the relevant behaviors. While this appears to overall be a Good Thing™, it did break my workflow for a bit.

That said, the fix is pretty simple:

# ~/.ssh/config
UseKeychain yes
AddKeysToAgent yes

What’s the Deal?

Two distinct changes were introduced that the above config addresses.

UseKeychain yes tells ssh-agent to store passphrases in the iCloud Keychain. This was the default before, but seemingly unintentionally. There used to be a system dialog ssh would present when asking for the passphrase that enabled the user to store it in the Keychain, but the UI was deprecated and removed. The UseKeychain option was introduced to enable configuration of this behavior, and was enabled by default on Sierra, but 10.12.2 disabled it, which was always supposed to be the case.

AddKeysToAgent yes tells ssh-agent to automatically load keys. It’s now disabled by default to match the upstream OpenSSH behavior.

The above (and more) can be found on Apple’s developer site.