Mac OS X 10.12: ssh-agent does not automatically load passphrases on the keychain during startup

Originator:Karoly.Lorentey
Number:rdar://27348363 Date Originated:14-Jul-2016 04:01 PM
Status:Closed Resolved:Behaves correctly
Product:OS X Product Version:Mac OS X 10.12 (16A239j)
Classification:Other Bug Reproducible:Always
 
Summary:
In previous versions of macOS, ssh-agent used to remember the passphrases for the keys I added to the keychain with “ssh-add -K <key>”. After a reboot (or logout/login), it automatically picked up the passphrases from the keychain with no extra step.

In Sierra, I have to manually poke the agent to recognize there are passphrases on the keychain.

Steps to Reproduce:
1. Create an ssh key with a passphrase
2. Add its passphrase to the keychain using “ssh-add -K <keyfile>”. It prompts for the passphrase and adds it to the keychain.
3. Enjoy passwordless authentication to GitHub, your servers, etc. (“ssh-add -l” confirms ssh-agent knows about the keys.)
4. Reboot your Mac
5. “ssh-add -l” shows the agent is empty. Applications using SSH authentication do not work or constantly prompt for a passphrase.
6. Run “ssh-add -K <keyfile>” again. It returns immediately without a passphrase prompt, as it finds the correct passphrase already on the keychain.
7. SSH authentication now works fine.

Expected Results:
The agent should automatically load keys whose passphrases it can access on the keychain.

Actual Results:
I need to manually poke the agent after each logout/login.

Regression:
This used to be automatic before the Sierra betas. On one of my secondary Macs running El Capitan, ssh-agent still remembers SSH keys across reboots, with no special configuration (as far as I can tell).

Notes:

Here is a metadata dump of the two passphrase entries on my keychain. Keychain access shows that their ACLs always allow access to “ssh-agent”, “ssh-add” and “ssh”.

$  security find-generic-password -s "SSH" -a "/Users/lorentey/.ssh/id_rsa" 
keychain: "/Users/lorentey/Library/Keychains/login.keychain-db"
version: 512
class: "genp"
attributes:
    0x00000007 <blob>="SSH: /Users/lorentey/.ssh/id_rsa"
    0x00000008 <blob>=<NULL>
    "acct"<blob>="/Users/lorentey/.ssh/id_rsa"
    "cdat"<timedate>=0x32303130303932343138333830345A00  "20100924183804Z\000"
    "crtr"<uint32>=<NULL>
    "cusi"<sint32>=<NULL>
    "desc"<blob>=<NULL>
    "gena"<blob>=<NULL>
    "icmt"<blob>=<NULL>
    "invi"<sint32>=<NULL>
    "mdat"<timedate>=0x32303130303932343138333830345A00  "20100924183804Z\000"
    "nega"<sint32>=<NULL>
    "prot"<blob>=<NULL>
    "scrp"<sint32>=<NULL>
    "svce"<blob>="SSH"
    "type"<uint32>=<NULL>

$  security find-generic-password -s "SSH" -a "/Users/lorentey/.ssah/git-fusion"
keychain: "/Users/lorentey/Library/Keychains/login.keychain-db"
version: 512
class: "genp"
attributes:
    0x00000007 <blob>="SSH: /Users/lorentey/.ssh/git-fusion"
    0x00000008 <blob>=<NULL>
    "acct"<blob>="/Users/lorentey/.ssh/git-fusion"
    "cdat"<timedate>=0x32303133313131353130353430335A00  "20131115105403Z\000"
    "crtr"<uint32>=<NULL>
    "cusi"<sint32>=<NULL>
    "desc"<blob>=<NULL>
    "gena"<blob>=<NULL>
    "icmt"<blob>=<NULL>
    "invi"<sint32>=<NULL>
    "mdat"<timedate>=0x32303133313131353130353430335A00  "20131115105403Z\000"
    "nega"<sint32>=<NULL>
    "prot"<blob>=<NULL>
    "scrp"<sint32>=<NULL>
    "svce"<blob>="SSH"
    "type"<uint32>=<NULL>

Comments

Not sure if this is related to filevault being enabled, but I don't have anaything after reboot:

$ /usr/bin/ssh-add -K id_rsa

$ reboot

$ /usr/bin/ssh-add -A

$ /usr/bin/ssh-add -l

The agent has no identities.

By olouvignes at Sept. 26, 2016, 11:21 a.m. (reply...)

Apple Developer Relations12-Aug-2016 10:13 PM

Engineering has determined that this issue behaves as intended based on the following information:

That’s expected. We re-aligned our behavior with the mainstream OpenSSH in this area.

You can fix this pretty easily by running ssh-add -A in your rc script if you want your keys to always be loaded.

By Karoly.Lorentey at Sept. 14, 2016, 2:22 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!