If you’re a systems administrator and you’ve recently upgraded to Apple’s macOS Sierra, you may have noticed that macOS now stores your SSH key passphrase by default, without even giving you the option not to save it. For security reasons, this is not recommended because if you have the key saved on your machine and macOS saves the password, it wouldn’t be difficult for someone to gain access to a server you manage.
There is no menu setting anywhere to turn off this behavior. Instead, you have to manually edit the ~/.ssh/config file.
To Prevent macOS Sierra From Remembering Your SSH Key Passphrase
In the ssh config
Add the following:
To Delete Previously Saved SSH Key Passphrases
The passphrases seem to be stored in a SQLite database. It appears that macOS Sierra is storing the keychain in ~/Library/Keychains/
ssh-add -D -K
for f in ~/Library/Keychains/*/keychain-2.db; do sqlite3 $f "delete from genp where agrp = 'com.apple.ssh.passphrases';"; done
When you type in your passphrase Sierra adds it to your Keychain but not to the ssh-agent. If your identity isn’t in ssh-agent there is no way to manage it with ssh-add. To manage (or remove) your identity from Keychain you need to add your identity to ssh-agent by using ssh-add. Once you have added your identity to ssh-agent you can use
ssh-add -K -d to remove it from both ssh-agent and Keychain. If you want your identity to be added to ssh-agent every time you use ssh then add this line to your ~/.ssh/config file: