2-ssh-prompt

If you’re a systems administrator and you’ve recently upgraded to Apple’s macOS Sierra, you may have noticed that macOS now stores your SSH key passphrase by default, without even giving you the option not to save it. For security reasons, this is not recommended because if you have the key saved on your machine and macOS saves the password, it wouldn’t be difficult for someone to gain access to a server you manage.

There is no menu setting anywhere to turn off this behavior. Instead, you have to manually edit the ~/.ssh/config file.

To Prevent macOS Sierra From Remembering Your SSH Key Passphrase

In the ssh config ~/.ssh/config

Add the following:

Host *
UseKeyChain no

To Delete Previously Saved SSH Key Passphrases

The passphrases seem to be stored in a SQLite database. It appears that macOS Sierra is storing the keychain in ~/Library/Keychains//keychain-2.db. You have to purge it from the ssh-agent then delete the row from the database:

ssh-add -D -K
for f in ~/Library/Keychains/*/keychain-2.db; do sqlite3 $f "delete from genp where agrp = 'com.apple.ssh.passphrases';"; done

Alternate Method

When you type in your passphrase Sierra adds it to your Keychain but not to the ssh-agent. If your identity isn’t in ssh-agent there is no way to manage it with ssh-add. To manage (or remove) your identity from Keychain you need to add your identity to ssh-agent by using ssh-add. Once you have added your identity to ssh-agent you can use ssh-add -K -d to remove it from both ssh-agent and Keychain. If you want your identity to be added to ssh-agent every time you use ssh then add this line to your ~/.ssh/config file:

AddKeysToAgent yes