When setting up a passwordless SSH login environment using private and public keys, it is necessary to enter a passphrase for the private key when logging into a remote server via SSH. Although the passphrase only needs to be entered once during a terminal session, it must be re-entered if the session is terminated. To avoid this inconvenience, this article outlines the process for permanently adding the passphrase to an ssh-agent.

For users of macOS and Windows, the passphrase will not be required even after a machine reboot. However, on Ubuntu, the passphrase will only need to be entered once after a reboot. This solution eliminates the need to continually enter the passphrase, making the SSH login process more efficient and user-friendly.

By permanently adding the passphrase to an ssh-agent, the process of logging into a remote server via SSH can be made more convenient. This is particularly useful for those who frequently log into remote servers and prefer a passwordless login environment.

For macOS

Adding private key to macOS keychain

To add the private key to the keychain application, open a terminal and type the following command:

$ ssh-add --apple-use-keychain ~/.ssh/id_rsa
  • Info.
    • The above command is validated in macOS Monterey 12.4.
    • If it’s not working, try ssh-add -K ~/.ssh/id_rsa.

Let ssh-agent always use macOS keychain

Configure .ssh/config as follows:

Host *
    UseKeychain yes
    AddKeysToAgent yes
    IdentityFile ~/.ssh/id_rsa

Note: .ssh/config should be with permission 644.

For Ubuntu

Install keychain

Install the keychain using the following command:

$ sudo apt-get install keychain

Keychain manages the ssh-agent by checking for its presence and starting it if needed. It allows the agent to hold the private key and stores the agent’s environment, enabling passwordless ssh connections through referencing the environment during ssh login attempts.

Let keychain hold private key

Open .zprofile (or .bash_profile) and type the following to save the private key to the installed keychain.

...
if [[ `uname` == Linux ]] then
    /usr/bin/keychain $HOME/.ssh/id_rsa
    source $HOME/.keychain/$HOST-sh
fi
...

Info. Adding the above in .zshrc or .bashrc also works.

Let ssh-agent always use keychain

Configure .ssh/config as follows:

Host *
    IgnoreUnknown UseKeychain
    UseKeychain yes
    AddKeysToAgent yes
    IdentityFile ~/.ssh/id_rsa

Info. To ensure compatibility with macOS, we only require the IdentityFile property. We also add the IgnoreUnknown UseKeychain property to prevent errors that may occur if the UseKeychain property is not defined on Ubuntu systems.

For Windows

Enable the ssh-agent service

  1. Press the windows key, then search and open the Services app.
  2. Find the OpenSSH Authentication Agent service in the list.
  3. Right click on the service and click Properties.
  4. Set the startup type to Automatic, and click on Apply.
  5. Click the Start button to change the service status to Running.
  6. Click the Ok button and close the Services app.

Add private key to the ssh-agent

Open powershell and type the following command:

> ssh-add .ssh\id_rsa

Info. The .ssh folder is usually located under C:\Users\[USER_NAME]\


References

  1. Generating a new SSH key and adding it to the ssh-agent
  2. How to install ssh keychain on Ubuntu with WSL
  3. Why git can’t remember myassphrase under Windows

Leave a comment