183

I am trying to set up my ssh config on the Mac (Mac OS Sierra 10.12.6) in such a way that it stores the passphrase for my ssh key in the keychain. Previously I could do that with

ssh-add -K ~/.ssh/id_rsa

But recently this doesn't seem to work anymore. Following this article there seems to be a change in the behaviour of the ssh config in Mac OS > 10.12.2 and the recommended way to fix this issue is to add UseKeychain yes to your ssh config. So here's my .ssh/config section the Host *:

Host *
  Port 22
  ServerAliveInterval 60
  ForwardAgent yes
  IdentityFile ~/.ssh/id_rsa
  AddKeysToAgent yes
  UseKeychain yes

When trying to ssh to a foreign host, I get the following error message:

$ ssh my-host
/Users/USER/.ssh/config: line 16: Bad configuration option: usekeychain

Any ideas why this happens and how I can fix it? Thanks!

Michael Lihs
  • 7,460
  • 17
  • 52
  • 85

9 Answers9

364

Try to specify another option, namely IgnoreUnknown like below:

Host *
  IgnoreUnknown UseKeychain
  UseKeychain yes

You can find more info about this here.

If you already have an IgnoreUnknown value, use comma separated values

Host *
  IgnoreUnknown AddKeysToAgent,UseKeychain
  AddKeysToAgent yes
  UseKeychain yes

If you have multiple Host configs that use the UseKeychain option, make sure to put

Host *
  IgnoreUnknown UseKeychain

before the first host that uses the the option, e.g. put it at the top of the file.

If you do not want to (or cannot) modify your SSH configuration file, you can also pass this option when connecting on the command line:

ssh -o IgnoreUnknown=UseKeychain my-host
ankon
  • 4,128
  • 2
  • 26
  • 26
mic4ael
  • 7,974
  • 3
  • 29
  • 42
  • 2
    Bypass the config file via `ssh -F /dev/null ...` temporarily, it works for me. – Itachi Sep 06 '18 at 14:40
  • 4
    Adding ```IgnoreUnknown UseKeychain``` still doesn't work for me, so I remove ```UseKeychain yes``` altogether and it works. Not sure this is the best approach though. – Hank Chan Oct 12 '18 at 23:51
  • 2
    This solution worked for me but I don't understand why this change all of a sudden ? I am only logging in to my DigitalOcean account. – anjanesh Feb 18 '20 at 04:46
  • I removed all the options and left the Host and IdentityFile. Github says to use those options but they don't work for me neither. Thanks. – Natus Drew May 20 '20 at 23:18
  • 8
    Rather than writing "You can find more info about this here.", it would be better to be *specific* on *what* the option does and *why* it would be useful: "If you are sharing your ssh configuration with systems running older versions of OpenSSH that don't understand the UseKeychain option, you can specify the IgnoreUnknown option to keep your configuration compatible with both new and old versions" - https://developer.apple.com/library/archive/technotes/tn2449/_index.html – David J. Jun 16 '21 at 19:06
  • 4
    The Apple docs say that the UseKeychain option was introduced in macOS Sierra 10.12. So *why* (or under what conditions) does this error occur in macOS Big Sur 11.4? – David J. Jun 16 '21 at 19:13
  • 2
    Users of the Nix package manager may run see the `Bad configuration option: usekeychain` error. Here is a ticket filed on nixpkgs : https://github.com/NixOS/nixpkgs/issues/15686 ... "Apple ships a patched version of ssh on its system to add a UseKeychain config directive" ... "It would be great if Nix could use this patched version when compiling for Darwin". – David J. Jun 16 '21 at 19:28
  • Worked in my Ubuntu – Juan Lanus Sep 02 '22 at 22:27
  • I had to put `IgnoreUnknown` _above_ the `UseKeychain` option (even within the same host block) – RSHAP Sep 20 '22 at 17:56
  • In my case, the `UseKeychain` option didn't work because I was using the version of OpenSSH installed from **Homebrew, not the built-in version**. You can read more about this here: https://unix.stackexchange.com/a/647990/432138 – Ruslan Jun 25 '23 at 14:48
78

The accepted answer helped me but did not completely solve my problem because I had multiple options that were bad. Here is an example of what it might look like if you have this issue:

Host *
  IgnoreUnknown AddKeysToAgent,UseKeychain
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_rsa
Dallas Caley
  • 5,367
  • 6
  • 40
  • 69
  • Just want to leave this here: I had trouble remotely connecting as well and this turned out to be the problem. The issue was generated by using Bitbucket's Sourcetree tool, which I have uninstalled but left remnants that prevented remote connection – Connor Jul 26 '18 at 16:35
  • Thanks! Worked on MacOS mojave 10.14.6 – brendan Sep 30 '19 at 22:19
  • 4
    Why does this work? I had the same problem and this answer fixed it, but I still don't know why this worked or why I had the problem in the first place .. – Nishant Mehta May 20 '20 at 22:08
1

Instead of ssh-add type ‘open .ssh/id_rsa’ and add it to the keychain

The UseKeychain option never appeared as bad on my config, but I have in the beginning, before any other host, the following

Host *
UseKeychain yes 

Host (...)
Ricardo Mendes
  • 325
  • 3
  • 13
  • 2
    FYI, I think that's the wrong order. If you write it that way, your `*` rules will be ignored. `man ssh_config` says, "Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end." – Telemachus May 15 '20 at 11:14
  • FYI, I've had it like that for almost a decade with dozens of servers and never had an issue. I ssh to so many servers every day. However, if anyone finds a real life issue with that config, maybe that'll be it then. – Ricardo Mendes May 18 '20 at 11:36
1

Just a related note, if your config has multiple Host entries, you should be setting IgnoreUnknown only once at the top of the file - otherwise you get the error Bad configuration option: usekeychain again. For example:

Host *
  IgnoreUnknown UseKeychain
cleison
  • 1,425
  • 1
  • 13
  • 14
0

I had a similar issue that was solved by removing the leading space in front of the config eg:

Host *
UseKeychain yes

vs

Host *
  UseKeychain yes
Tarek Karray
  • 1
  • 2
0

The accepted answer didn't work for me, I also had to change the host pattern. I followed GitHub's docs and used:

Host *.github.com
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_ed25519

The suggested fix:

Host *.github.com
  IgnoreUnknown AddKeysToAgent,UseKeychain
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_ed25519

didn't work. Only after removing the .github.com part did it work:

Host *
  IgnoreUnknown AddKeysToAgent,UseKeychain
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_ed25519

No idea why.

kunigami
  • 3,046
  • 4
  • 26
  • 42
-1

I just commented out the line and scp/ssh started working for me again.

Bryan
  • 41
  • 4
  • 1
    which line? please leave a more meaningful message – Martin Nowosad Apr 05 '21 at 10:48
  • 2
    The OP writes "Any ideas why this happens and how I can fix it? Thanks!", but this answer doesn't answer the *why* nor does it provide a *fix* on how to keep the desired functionality (macOS Keychain integration) without an error. – David J. Jun 16 '21 at 19:04
  • 1
    removing UseKeychain and AddKeysToAgent seems to work fine now, and running `ssh-add -l` yields no identities. not sure why it's working tbh. maybe it won't after a reboot? – Eben Geer Aug 05 '21 at 21:46
-1

It's the capital -K try lowercase -k!!

ssh-add -k ~/.ssh/id_rsa

Enter passphrase for /Users/tom/.ssh/id_rsa:
Identity added: /Users/tom/.ssh/id_rsa (/Users/tom/.ssh/id_rsa)
Tomachi
  • 1,665
  • 1
  • 13
  • 15
  • 2
    `ssh-add` does have `-K` option at least on macOS. `man ssh-add`: `-K When adding identities, each passphrase will also be stored in the user's keychain. When removing identities with -d, each passphrase will be removed from it.` – uasi Nov 18 '19 at 07:42
-1

I had the same issue and i realized that when started to generate the key by following the instructions. The first step is this.

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

I didn't change the email address but of course I have forgotten to do that :D. So make sure to not forget that step and all will be fine.

Michael Lihs
  • 7,460
  • 17
  • 52
  • 85
Mohammed Ramadan
  • 655
  • 7
  • 10