MacOS – ssh -A stopped working in macOS Sierra and keychain is not unlocked at login

keychainmacospasswordsshterminal

After upgrading, ssh -A no longer works. Uncomment ForwardAgent no line the /etc/ssh/ssh_config and change no to yes does not seems to work. This is extremely annoying. In addition, my Mac is password protected.

Previously, after I login, I never needed to enter the password for ssh once I selected something like "unlock keychain for ssh on login", years ago. I don't remember the exact message. I only needed to do it once for every mac I ever owned. However, it now prompts for password when I need to access ssh id_rsa, such as using git. I deleted the login item in the keychain, and the next time I restarted, try to use ssh, the password prompts appears again, but no prompt asking me if I want the keychain to remember and unlock the key.

Can anyone help or at least explain what changes are made for ssh in the new OS.

Edit
To answer my own question, ssh-add -K seems to do the trick.

Best Answer

It seems that the ssh keys are not loaded by default into ssh-agent.

This solved the issue for me:

Edit your ssh config

vi ~/.ssh/config

Add the following

Host *
    IdentityFile ~/.ssh/id_rsa
    AddKeysToAgent yes
    ForwardAgent yes

Find out more information on reddit discussion: https://www.reddit.com/r/osx/comments/52zn5r/difficulties_with_sshagent_in_macos_sierra/

Related Solutions

MacOS – make unlocking the screensaver also unlock the login keychain

This usually happens when you change your login password without changing your keychain password.

Open Keychain Access
Click Edit -> Change Password for Keychain 'Login'
Match the password to the one you log into the computer with.

If you firmly believe "this is not the problem", please try to delete your keychain and recreate it in order to get the link between the login and keychain to properly function. (thanks @dragon788)

MacOS – Make the password protected SSH key expire or timeout after a while

Rather than tweaking ssh-agent (which now requires silly amounts of hacking), I strongly recommend simply changing the settings on your default (login) keychain. I use the very helpful 'lock on sleep' as well as 'lock after 4 hours' because I don't want prompts unless I'm actually afk.

Open Keychain Access and right-click the login keychain to change settings:

Or if you prefer a commandline:

security set-keychain-settings -lu -t 14400

This will result in at least one extra prompt for unlocking the keychain itself (requiring your login password) as well as the prompt for whichever key you're trying to use... but it beats disabling System Integrity Protection IMO.

Best Answer

Related Solutions

MacOS – make unlocking the screensaver also unlock the login keychain

MacOS – Make the password protected SSH key expire or timeout after a while

Related Question