Keychain changes

Prior to macOS Sierra, ssh would present a dialog asking for your passphrase and would offer the option to store it into the keychain. This UI was deprecated some time ago and has been removed.

Instead, a new UseKeychain option was introduced in macOS Sierra allowing users to specify whether they would like for the passphrase to be stored in the keychain. This option was enabled by default on macOS Sierra, which caused all passphrases to be stored in the keychain.

This was not the intended default behavior, so this has been changed in macOS 10.12.2. To store passphrases in the keychain, set this option in your ssh configuration file:

 UseKeychain yes

This option can be set for all hosts, or for a subset of hosts as desired. For instance, you can configure a development machine as such:

 Host server.example.com

    IdentityFile ~/.ssh/id_rsa

    UseKeychain yes

This will only store the passphrase in the keychain for that specific key.

If you are sharing your ssh configuration with systems running older versions of OpenSSH that don't understand the UseKeychain option, you can specify the IgnoreUnknown option to keep your configuration compatible with both new and old versions, like this:

 IgnoreUnknown UseKeychain

    UseKeychain yes

Agent changes

OpenSSH will no longer load keys into ssh-agent automatically. This aligns the macOS behavior with that of the upstream OpenSSH project.

It is possible for the user to re-enable loading keys into the agent by setting this option in the ssh configuration file:

 AddKeysToAgent yes

If you are seeing cases where you have disabled storing the passphrase in your keychain and ssh asks for your passphrase over and over, this is likely the reason.

References

ssh manual page

ssh_config manual page

ssh-agent manual page