SSH keys & macOS High Sierra Keychain

I struggled figuring out this little gem. I will spare you my journey to resolution. Suffice to say the process is easier than it seems and High Sierra will dymanically load the required keys as you access systems.
Here’s a simple post of what worked for me:
-1. Don’t execute a ‘ssh-add -A’ at any point in this process. A lot of advice recommends this at various steps. It is not needed in my experience.

  1. Edit or create $HOME/.ssh/config, adding the following lines:
Host *
AddKeysToAgent yes
UseKeychain yes

If you already have a config file, add the two lines ending with ‘yes’ to the ‘Host *’ section. If you have different keys for different destinations, make sure you specify them in the host definition sections that should come before the ‘Host *’ definition. If you don’t know what I’m talking about, these exceptions don’t apply to you.

  1. For each of your private keys on your macOS host, do the following from the terminal:
/usr/bin/ssh-add -K $HOME/.ssh/id_dsa

… where ‘id_dsa’ is the name of each of your private key files, one file per command. The important part is that the ‘ssh-add’ command needs the full path to the private key files. If you get an error on the ‘-K’ option, try dropping it.

  1. Open your keychain properties on your macOS host and search for ssh. The keys you added should be listed with their full paths.
  2. From the terminal, execute the following:

/usr/bin/ssh-add -l

… to list your keys. It should return none of your keys. This is expected.

  1. SSH to a destination host that already has your public key in the $HOME/.ssh/authorized_hosts file. It should work.
  • Back on your macOS host, again execute the following:
  • /usr/bin/ssh-add -l

    At least one of your keys added above should be in the list.

    This is an imperfect recipe. My MacBook Air is otherwise unavailable so I am working off of memory. I will replicate this on my home Mac Mini and edit this post for accuracy as I go.

    Leave a Reply

    Your email address will not be published. Required fields are marked *