How to fix: MacOS keep asking passphrase for ssh key after upgrade or reboots

Posted on in Categories , , last updated January 17, 2017

I recently upgraded my MacOS Sierra and now ssh command keep asking for passphrase as follows when I try to login to my remote Linux/Unix server:
      Enter passphrase for key ‘/Users/vivek/.ssh/id_ed25519’:
How do I fix MacOS Sierra upgrade that keep breaking ssh keys in terminal?

My MacOS used to remember the ssh passphrase, but now it is asking it to me each time when I try to login to local FreeBSD nas server or remote Ubuntu server when I type:
$ ssh [email protected]
$ ssh [email protected]

Sample outputs:
Fig.01: My MacOS Sierra does not seem to remember my SSH keys between mac reboots
Fig.01: My MacOS Sierra does not seem to remember my SSH keys between mac reboots

Let us see how to fix the MacOS sierra upgrade breaking my SSH keys using various methods.

Method #1: Fix when macOS keeps asking ssh passphrase after updated to Sierra or after reboots

You need to use the UseKeychain option in your ~/.ssh/config file. From the ssh_config man page:

On macOS, specifies whether the system should search for passphrases in the user’s keychain when attempting to use a particular key. When the passphrase is provided by the user, this option also specifies whether the passphrase should be stored into the keychain once it has been verified to be correct. The argument must be yes or no. The default is no.

This is the easiest and recommended solution for all users. Edit your ~/.ssh/config file:
$ vi ~/.ssh/config
Append the following line in Host * section:

UseKeychain yes

Here is my sample file:

Host *
        ServerAliveInterval 10
        ControlPath ~/.ssh/controlmasters/%r@%h:%p
        ControlMaster auto
        ControlPersist yes
        ProtocolKeepAlives 120
        UseRoaming no
        UseKeychain yes

Save and close the file. This should force ssh to remember user’s key in the keychain:
$ ssh [email protected]
$ ssh [email protected]

Method #2: Use ssh-agent/ssh-add to add all known keys to the SSH agent

The syntax is as follows to use SSH Keys on a Linux / Unix / MacOS System:

##  Create the key pair using ssh-keygen command ## 
ssh-keygen -t rsa
 
## Install the public key using ssh-copy-id command ##
ssh-copy-id -i $HOME/.ssh/id_rsa.pub vivek@server1.cyberciti.biz
 
## Update your shell profile file 
echo 'ssh-add -A 2>/dev/null' >> ~/.bash_profile
 
## Try it now 
eval $(ssh-agent)
ssh-add

Method #3: Use keychain

OpenSSH offers RSA and DSA authentication to remote systems without supplying a password. keychain is a special bash script designed to make key-based authentication incredibly convenient and flexible. It offers various security benefits over passphrase-free keys.

Install the keychain as follows:

$ brew install keychain
Sample outputs:

==> Using the sandbox
==> Downloading http://build.funtoo.org/distfiles/keychain/keychain-2.8.3.tar.bz
######################################################################## 100.0%
?  /usr/local/Cellar/keychain/2.8.3: 7 files, 106.2K, built in 3 seconds

Append the following code in your ssh profile (assuming that you are using id_rsa file):

echo '/usr/local/bin/keychain $HOME/.ssh/id_rsa' >> ~/.bash_profile
echo 'source $HOME/.keychain/$HOSTNAME-sh'  ~/.bash_profile

See “keychain: Set Up Secure Passwordless SSH Access For Backup Scripts” for more info.

3 comment

Leave a Comment