I am using passwordless login via SSH on every box that I administer.
Of course, my private SSH key is protected with a password that must be provided when accessing the key.
Modern operating systems incorporate the usage of ssh-agent to “link” the user account to the SSH key(s), in order to unlock the SSH key as soon as the user is logged in. In this way, they avoid nagging the user asking for the SSH key password every time the key needs to be used.
In my case, I am running GNU/Linux with GNOME and macOS:
- GNOME, via its Keyring, supports the automatic unlocking of SSH keys upon user login. Starting from GNOME 3.28, ed25519 keys are supported as well as RSA keys (I do not other use any other type of SSH keys). To add your keys, just invoke
ssh-addand supply your key path:
ssh-add ~/.ssh/[your-private-key]
you will be asked for your SSH key password. It will be put in the GNOME Keyring (remember it if you update your SSH password!).
- macOS supports associating your SSH key password into the Keychain. You can add your key(s) with:
ssh-add -K ~/.ssh/[your-private-key]
Starting from Sierra, though, you need to change your ~/.ssh/config to persist the key between reboots and add:
Host *
UseKeychain yes
AddKeysToAgent yes
IdentityFile ~/.ssh/[your-private-key-rsa]
IdentityFile ~/.ssh/[your-private-key-ed25519]
Now, if you share the same ~/.ssh/config file between GNU/Linux and macOS you would encounter an error: how ssh on Linux is supposed to know about UseKeychain option (which is compiled only in macOS’ ssh)?
A special instruction, IgnoreUnkown, comes to the rescue:
IgnoreUnknown UseKeychain
UseKeychain yes
Eventually, my ~/.ssh/config looks like:
Host *
IgnoreUnknown UseKeychain
UseKeychain yes
AddKeysToAgent yes
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_ed25519
Compression yes
ControlMaster auto
[...]