Ssh – How to get computer to remember SSH key passphrase between reboots

passwordsshssh-agent

I've found various solutions to cache SSH key passphrases using such methods as ssh-agent, keychain, gpg-agent and so on. They all seem to cache it per-login or per-session, so that every time you reboot your computer, you will have to re-enter your passphrase to SSH (but subsequent SSHs won't ask for the password until you reboot).

I don't want the cache to clear on reboot. I want to enter the passphrase once, and never be asked for it again, even if I turn off my computer. How can I do this?

In case it matters, I'm on Manjaro.

Best Answer

The Gnome keyring can store an SSH passphrase and serve as an SSH agent. Make sure that you are running gnome-keyring with the ssh component; the environment variable SSH_AUTH_SOCK should point to gnome-keyring and not to ssh-agent. The keyring will contain the SSH key, so it doesn't need to be re-read from the key file in ~/.ssh. The keyring is persistent, so adding a key to it survives a reboot. Once you unlock the Gnome keyring, all of its contents including the SSH key are available to applications.

Related Solutions

Ssh-add is not persistent between reboots

The addition of keys to the agent is transient. They last only so long as the agent is running. If you kill it or restart your computer they're lost until you re-add them again. From the ssh-agent man page:

ssh-agent is a program to hold private keys used for public key authentication (RSA, DSA, ECDSA). The idea is that ssh-agent is started in the beginning of an X-session or a login session, and all other windows or programs are started as clients to the ssh-agent program. Through use of environment variables the agent can be located and automatically used for authentication when logging in to other machines using ssh(1).

The agent initially does not have any private keys. Keys are added using ssh-add(1). When executed without arguments, ssh-add(1) adds the files ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/identity. If the identity has a passphrase, ssh-add(1) asks for the passphrase on the terminal if it has one or from a small X11 program if running under X11. If neither of these is the case then the authentication will fail. It then sends the identity to the agent. Several identities can be stored in the agent; the agent can automatically use any of these identities. ssh-add -l displays the identities currently held by the agent.

macOS Sierra

Starting with macOS Sierra 10.12.2, Apple has added a UseKeychain config option for SSH configs. You can activate this feature by adding UseKeychain yes to your ~/.ssh/config.

Host *
  UseKeychain yes

OSX Keychain

I do not use OSX but did find this Q&A on SuperUser titled: How to use Mac OS X Keychain with SSH keys?.

I understand that since Mac OS X Leopard the Keychain has supported storing SSH keys. Could someone please explain how this feature is supposed to work.

So from the sound of it you could import your SSH keys into Keychain using this command:

$ ssh-add -K [path/to/private SSH key]

Your keys should then persist from boot to boot.

Whenever you reboot your Mac, all the SSH keys in your keychain will be automatically loaded. You should be able to see the keys in the Keychain Access app, as well as from the command line via:
  ssh-add -l

Source: Super User - How to use Mac OS X Keychain with SSH keys?

SSH – How to Get Asked for SSH Key Passphrase Once and Only When Needed

Don't add anything to any of your shell startup scripts, this is unnecessary hackery.

Instead, add

AddKeysToAgent yes

to your .ssh/config

Like this, ssh-add is run automatically the first time you ssh into another box. You only have to re-enter your key when it expires from ssh-agent or after you reboot.