Automatically add SSH keys to SSH agent with GNOME and macOS

I am using passwordless login via SSH on every box that I administer.
Of course, my private SSH key is protected with a password that must be provided when accessing the key.
Modern operating systems incorporate the usage of ssh-agent to “link” the user account to the SSH key(s), in order to unlock the SSH key as soon as the user is logged in. In this way, they avoid nagging the user asking for the SSH key password every time the key needs to be used.
In my case, I am running GNU/Linux with GNOME and macOS:

  • GNOME, via its Keyring, supports the automatic unlocking of SSH keys upon user login. Starting from GNOME 3.28, ed25519 keys are supported as well as RSA keys (I do not other use any other type of SSH keys). To add your keys, just invoke ssh-add and supply your key path:
ssh-add ~/.ssh/[your-private-key]

you will be asked for your SSH key password. It will be put in the GNOME Keyring (remember it if you update your SSH password!).

  • macOS supports associating your SSH key password into the Keychain. You can add your key(s) with:
ssh-add -K ~/.ssh/[your-private-key]

Starting from Sierra, though, you need to change your ~/.ssh/config to persist the key between reboots and add:

Host *
  UseKeychain yes
  AddKeysToAgent yes
  IdentityFile ~/.ssh/[your-private-key-rsa]
  IdentityFile ~/.ssh/[your-private-key-ed25519]

Now, if you share the same ~/.ssh/config file between GNU/Linux and macOS you would encounter an error: how ssh on Linux is supposed to know about UseKeychain option (which is compiled only in macOS’ ssh)?
A special instruction, IgnoreUnkown, comes to the rescue:

IgnoreUnknown UseKeychain
UseKeychain yes

Eventually, my ~/.ssh/config looks like:

Host *
  IgnoreUnknown UseKeychain
  UseKeychain yes
  AddKeysToAgent yes
  IdentityFile ~/.ssh/id_rsa
  IdentityFile ~/.ssh/id_ed25519
  Compression yes
  ControlMaster auto
[...]

Leave a Reply