One really nice feature of MacOS is the integration of ssh keys with the OS keychain. This allows you to put a password on your ssh private key(s) that will unlock when you log in. Using this feature, combined with the ssh agent, and you can have a password protected ssh key, and not have to store it on any remote machines or enter the password every time you use it.
First, you generate your key(s) with
ssh-keygen as you normally would (if you don’t understand what that is, then stop now, and go learn about the basics of SSH, then come back here). Once you have the key with the cipher of your choice, you need to add it to the MacOS keychain using the
ssh-add command. Apple has added two custom options to the command that allow it to interact with the keychain:
--apple-use-keychain. In previous versions, these were
-K, but as of Monterey, they have deprecated them, and prefer the long names.
To add a key to the keychain:
ssh-add --apple-use-keychain .ssh/id_rsa
It will prompt you for the password you assigned to the key, and store it in the keychain. Then, when you log in to the OS, it will unlock the key for you so you don’t have to type its password anymore. To make sure ssh honors this, create a file called
config in your .ssh folder and add at a minimum this lines:
# This is a MacOS only option that looks for passwords for the keys # in the keychain. Ignore if it is an unknown option. IgnoreUnknown UseKeyChain UseKeychain yes
IgnoreUnknown option is a function of the ssh config system to ignore options that the version you are running doesn’t know about. That way you can create a portable config file that you can use on other platforms, and it will not complain about UseKeychain if it is not a valid option.
If you plan to use the ssh agent, you can also add the following lines to your config file to load the now unlocked keys into the agent:
# Search the following identities (keys) and add them to the agent AddKeysToAgent yes IdentityFile ~/.ssh/id_ed25519 IdentityFile ~/.ssh/id_rsa
IdentityFile line for each cipher you have a key for and want loaded into the agent. Now you can copy the public part of identities to your hosts, and ssh to them without a password, but still have the private key password protected on disk.
To preload the keys into your agent, add the following to your zsh or bash profile:
# Add my keys to the ssh agent; passwords are pulled from the keychain. # The --apple-load-keychain option is unique to MacOS. ssh-add --apple-load-keychain
If you already have ssh keys you have generated in the past with no password, you might want to add a password to your keys.