63

Brief

I attempted to generate a SSH key for my Github on a Macbook Pro. Yet I encountered the 'Enter PIN for authenticator' issue when I progressed to the step of adding it to the ssh-agent. The bizarre asking is from the following command:

$ ssh-add -K ~/.ssh/id_rsa
Enter PIN for authenticator:

which I totally have no idea what I should type into for this asking. Yet as I typed with the following command, everything just worked as this page revealed.

$ /usr/bin/ssh-add -K ~/.ssh/id_rsa
Identity added: /Users/${user_name}/.ssh/id_rsa (your_email@example.com)

Why there exists this kind of difference ? What exactly you need to type for the asking of 'Enter PIN for authenticator:' ?

Some Info

  1. version information
$ ssh -V
OpenSSH_8.3p1, OpenSSL 1.1.1g  21 Apr 2020

$ sw_vers -productVersion
10.15.6
  1. I generated the key with the ed25519 algorithm.
Scott Hsieh
  • 1,339
  • 1
  • 11
  • 25

4 Answers4

100

If you use this command

$ ssh-add -K ~/.ssh/id_rsa

you will be asked to enter the PIN for authentication so instead of that use

$ ssh-add ~/.ssh/id_rsa
Mohnish
  • 1,010
  • 1
  • 12
  • 20
Rohan Patil
  • 1,017
  • 1
  • 4
  • 2
  • Using +K worked on my mac os install but this solution worked on my ubuntu install. Is the variance simply because of the different installs or is there a more in-depth reason? In either case, thank you! – Nick Snyder Jun 19 '22 at 21:38
  • On raspberry Pi OS (32) removing the -K resulted in a request for the passphrase which is what I was expecting. I was not expecting to be asked for a pin! – eklektek Mar 01 '23 at 16:07
32

You have a second (Brew-installed?) ssh-add in your shell's $PATH which is not the same as the Apple version. In the Apple version -K stores the password in your keychain, so you don't have to type it every time. In the non-Apple version -K "Loads resident keys from a FIDO authenticator."

The ssh-add at:

/usr/bin/ssh-add

is the Apple provided one, and will work with -K.

Update for macOS Monterey (v12)

The -K and -A flags are deprecated and have been replaced by the --apple-use-keychain and --apple-load-keychain flags, respectively.

Paul Razvan Berg
  • 16,949
  • 9
  • 76
  • 114
Eli
  • 431
  • 4
  • 7
  • 1
    Yes! I can confirm. The ssh-add on my PATH is `/usr/local/bin/ssh-add -> ../Cellar/openssh/9.0p1_1/bin/ssh-add` (see `ls -l $(which ssh-add)`). Github has docs that show using `/usr/bin/ssh-add` is possible to fix the problem even if you have both installed: https://docs.github.com/en/authentication/troubleshooting-ssh/error-ssh-add-illegal-option----k – George Pantazes Aug 29 '22 at 15:19
  • The really important thing is to know if your installed version is brew openssh package or the Apple one. `ssh -V` should give you the answer as well. – thoroc Aug 22 '23 at 07:07
27

I have seen on - https://www.ssh.com/academy/ssh/add and found that if we use -'k' (small k) then it is asking about passpharase what I added during ssh key generaion.

for instance my passphrase while creating ssh key was - Pass@123# after that when i exeute command -

$ssh-add -k ~/.ssh/id_rsa 
Enter passphrase for ~/.ssh/id_rsa: (typed here - Pass@123# and press enter)
Identity added: ~/.ssh/id_rsa (xxxxxxx@xxxx.com)
Pravind Kumar
  • 809
  • 1
  • 11
  • 10
11

as specified by the man ssh-add page, the -K option is:

-K Load resident keys from a FIDO authenticator.

so you basically tell it to use an authenticator.

prosoitos
  • 6,679
  • 5
  • 27
  • 41
JPronk
  • 111
  • 3
  • 1
    So if you have 2fa enabled on your github account that would refer to the code in the Authenticator (app) that you have setup 2fa with? – thoroc Jun 04 '21 at 10:32