Using your keychain with ssh-add on macOS Sierra

You might have noticed that macOS Sierra doesn’t offer to store private key passphrases for SSH in your user keychain anymore. It doesn’t automatically add SSH identities from your keychain, either.

Result: you need to enter the passphrase for each of your SSH keys at least once per session, where previously you could enter it once and never type it again.

Given the security implications of making it too easy to open an SSH session without authenticating yourself, I can’t fault Apple for this. But if you’re a heavy SSH user, you might agree that it’s more painful to work with now.

Thankfully, there is a workaround. I’ve just added this to my ~/.profile file:

if [ "$USER" != "root" ]; then

    if ! ssh-add -l | grep -q 'id_rsa.lkrms'; then

        ssh-add -A

        if ! ssh-add -l | grep -q 'id_rsa.lkrms'; then

            ssh-add -K "$HOME/.ssh/Keys/id_rsa.lkrms"

        fi

    fi

fi

Now, every time I open a terminal, ssh-add -l is grepped for id_rsa.lkrms. If it’s missing, ssh-add -A is called to add SSH identities from my keychain. If id_rsa.lkrms still hasn’t appeared, I will be prompted for my passphrase, and it will be stored in my keychain for future use.