Home > Things Mac, TricksAndTips > Leopard finally supporting ssh-agent at login

Leopard finally supporting ssh-agent at login

October 28th, 2007 Leave a comment Go to comments

In previous iterations of the feline OS we had to rely on SSHKeyChain in order to get a working ssh-agent setup that was global to all applications and not only for the current bash instance.

With Leopard the environment variable $SSH_AUTH_SOCK is set automatically, and the ssh-agent is managed by launchd (I think). SSHKeyChain may still prove useful for setting up tunnels, but I see no point in waiting for yet another application to start at login.

If you have been using SSHKeyChain you must remember to go into it's Preferences and Uncheck the "Manage (and modify) global environment variables" ticker, otherwise SSHKeyChain will override the OS settings – even if it's not running.

The actual adding of ssh keys is a bit non-intuitive for people used to doing ssh-add. Just using ssh-add <keyfile>  will only add the keyfile to the current session. If you want to never type your passphrase again, but let ssh-agent get your passphrase from Keychain every time you try to use the ssh key/identoty file you need to have a few things in place:

* Your <identity>.pub must be present in the remote accounts $HOME/.ssh/authorized_keys file

* You may use this syntax from the command line to add the key: ssh -i <identity file> user@host . I guess you may do this from the Keychain Access application in some way too, but I was not able to find out how. There must be a slicker way.

So, I used this command in my terminal to add my "lolcats" private key/identity to my Keychain:

ssh -i lolcats lolcat@hostname.tld

And up came this dialog window, voilá:


Categories: Things Mac, TricksAndTips Tags:
  1. November 5th, 2007 at 15:39 | #1

    You can specify a default identity file to use in your .ssh/config.

    I think something like:
    IdentityFile ~/.ssh/
    Ought to do it.

    There’s more info in man ssh_config

    Thanks for the useful info!


  2. Chris
    November 6th, 2007 at 08:05 | #2

    Actually, if you have your private key in ~/.ssh/id_rsa (and probably identity or id_dsa, but I’ve only tried this with id_rsa) then you can just type:

    ssh servername

    If you have a passphrase on your private key, that dialog pops and you can save the passphrase in your keychain. You don’t need to have an ~/.ssh/authorized_keys nor do you need to specify the -i option every time you use ssh.

    The man pages for ssh-add and ssh-agent haven’t been updated, but if you type:

    ssh-add –help

    you’ll notice some new options, like -k “Add all identities stored in your keychain.”

    This is such a nice new feature of Leopard. Thanks for the info on this!


  3. jumperboy
    December 8th, 2007 at 15:59 | #3

    Actually, the man pages have been updated, but a bug in the Leopard installer prevents the old ones from being deleted when you upgrade, and you see those instead. I’m surprised this hasn’t been addressed in Software Updates, as it seems like a serious bug to me, but you can fix it with a ruby script posted at macosxhints.com:


    Naturally, you should back up your man directory, first.

    Back to topic, I can understand starting ssh-agent when I log in, but why on earth would I want to store my passphrase in the keychain? If someone cracked my login, they would get instant access to any host I connect to with public key authentication, using the known_hosts file as a roadmap. This sounds like a bad practice to me.

  4. Tim B
    December 21st, 2007 at 17:05 | #4

    The known_hosts file isn’t the hole it might seem to be as it contains hashes of the hosts you connect to rather than their names. If you have old entries these can be updated:
    ssh-keygen -H

  5. March 4th, 2008 at 21:37 | #5

    Here’s a gotcha for people who can’t get this working.

    I was struggling to work out why I could not get this working with a new MacBook (which never had SSHKeychain installed).

    The reason: I use MacPorts and had ended up installing OpenSSH via MacPorts (it was a dependency of some other lib). This resulted in a standard, non-keychain support build of ssh in /opt/local/bin, which happened to be listed in my $PATH first. Only when I ran “which ssh” did I realize what had happened.

  6. davide
    March 21st, 2008 at 12:16 | #6

    i am missing the first part?
    is there a “new & standard” way for keypair generation, now that the agent is included in leopard?

  7. Darcy
    April 25th, 2008 at 22:42 | #7

    Big thanks for this post.

  8. Oliver
    November 23rd, 2008 at 19:55 | #8

    I recently migrated my entire account/home directory to a new computer and can’t get the password to be stored any longer

    Quoting from above: “Your .pub must be present in the remote accounts $HOME/.ssh/authorized_keys file”

    I don’t see this file. My .ssh directory only contains the following:

    id_rsa id_rsa.pub known_hosts

    When I type the equivalent of the above command:
    ssh -i lolcats lolcat@hostname.tld

    for my server, the dialogue box doesn’t pop up, and I’m forced to type in the password each time I use ssh.

    Everything worked fine on my old macbook.

    Help would be greatly appreciated!