For the past months, I’ve been scratching my head as to why ssh without password is no longer working. It worked flawlessly before and it works on the root account now, but does not on the admin account or my own account with admin privileges. I’ve tried resetting the keys and recopying the keys, but they still don’t work. I thought it might be a permission thing I messed up somewhere, but even after changing permissions on the authorization keys, it still asks for password. Which is very annoying, especially when it used to log straight in. This stopped working after some update, but I’m not sure if it’s related to the update or not. Also, the reason I use ssh Synology is that because I have ssh config set up, but normal ssh login method also asks for password, so this is not the issue. Any help is appreciated!
I had the same problem: it’s due to Apple Security Porn. The keys need to be in your keychain for passwordless SSH to work. Problem is: you can’t just add them and forget about it. They need to be added after every login (or reboot?). Apple Extended Security Porn. So you need a login shell script which you can auto-run with a LaunchAgent. (Everyone with a NAS/server should have a login shell script imho, if only to auto-mount the remote volumes.) In that agent script, you add everything you want to execute after login, plus this one line:
foo is a placeholder for the filename of your SSH private key; if the filename contains whitespace characters, put the filename in double quotes as well.
timeout isn’t part of POSIX macOS, but you can install it e.g. with Homebrew as part of the GNU Core Utilities: brew install coreutils
PS (edit): if the above will be your only command in the shell script, add a sleep 10 to the start of the script, and remove the & at the end of the main command’s line. (This is to ensure that [a] the keychain is unlocked in time before your command executes, and [b] the ssh-add command isn’t terminated if the script exits prematurely.)
Thanks for the reply! I wasn’t aware that the keys need to be in keychain. However, even after removing and recreating all the .ssh files on both my NAS and my MacBook, and running the commands you gave to add the keys to keychain, it still asks me for passwords. Am I running the commands wrong? I know it’s supposed to be a script, but running it directly should work as well? I tried both commands you gave, as well as replacing “foo” with my private key “id_rsa” (I think?). Should I add other keys as well?
I’m very interested in this option but not sure how to set up a LaunchAgent. Can you provide me with example file and how to set it up for auto launch? Auto-mounting the remote volumes would be great too, as it has been annoying to reconnect every time. I did create a small script and tried both commands, and as expected, they do not work either. I might be creating the script or running it wrong – can you please elaborate? I don’t know too much about creating a shell script.
In a login shell script it would be a bit more complex, e.g.
#!/bin/zsh
export LANG=en_US.UTF-8
export PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/opt/homebrew/bin:/opt/homebrew/sbin:/opt/local/bin:/opt/local/sbin:"$HOME"/.local/bin:"$HOME"/.local/sbin
coreutilsinstalled=false
command -v timeout &>/dev/null && coreutilsinstalled=true
sleep 10 # sleep not necessary if several other commands are executed before this line
if $coreutilsinstalled ; then
timeout 5 ssh-add --apple-use-keychain "$HOME"/.ssh/id_rsa
else
ssh-add --apple-use-keychain "$HOME"/.ssh/id_rsa
fi
exit
Thanks for the help so far, I’ve tried everything and it still keep asking me for password. Both typing into the terminal manually and using the script. I’ve even added IdentityFile to my config and still same result.
Host Synology
Hostname 192.168.1.10
User Tama
IdentityFile ~/.ssh/id_rsa
I was able to generate log with ssh -v Synology however. I hope this could help to identify what the problem is, as I’m not sure myself.
OpenSSH_9.0p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/tama/.ssh/config
debug1: /Users/tama/.ssh/config line 1: Applying options for Synology
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to 192.168.1.10 [192.168.1.10] port 22.
debug1: Connection established.
debug1: identity file /Users/tama/.ssh/id_rsa type 0
debug1: identity file /Users/tama/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2
debug1: compat_banner: match: OpenSSH_8.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.1.10:22 as 'Tama'
debug1: load_hostkeys: fopen /Users/tama/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:Igp5U38srFQnYMCKG0aFmhO4rsAwTeLKHauHxmBLiMA
debug1: load_hostkeys: fopen /Users/tama/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '192.168.1.10' is known and matches the ED25519 host key.
debug1: Found key in /Users/tama/.ssh/known_hosts:3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 2 keys
debug1: Will attempt key: /Users/tama/.ssh/id_rsa RSA SHA256:e3V9lFNSp4VE9mkEwIA4dLtX1wmm+rVzvi8YbJhJj+c explicit agent
debug1: Will attempt key: [email protected] RSA SHA256:xWbY3koRZmx1bbQP/iC/3eAs+Bkr0VevJNI3W6DbG9Q agent
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected]>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/tama/.ssh/id_rsa RSA SHA256:e3V9lFNSp4VE9mkEwIA4dLtX1wmm+rVzvi8YbJhJj+c explicit agent
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: [email protected] RSA SHA256:xWbY3koRZmx1bbQP/iC/3eAs+Bkr0VevJNI3W6DbG9Q agent
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
[email protected]'s password:
………