A while ago, I switched to Fish after getting tired of setting up my ZSH after a new system reset (yes, I should backup my config files...). One of the thing I missed however was a proper setup of my ssh agent on session opening. Let's see how to set it up in a few minutes.

What is SSH Agent?

When relying a lot on SSH to log on other machines or to push code using Git (or any other version control system), it starts to be pretty inconvenient to enter your password each time. That's where SSH Agent will help: it is a deamon (process running in the background) that will save your SSH private key and its password in its memory and will enter them for you when opening an SSH session.

While being a very common tool in the Unix world, the version on MacOS has a few additions that allow it to use the system' keychain to store and encrypt your password, increasing the security of your SSH Agent setup.

What is Fish?

Fish is a wonderful Shell with many things ready out-of-the box, making it the most convenient shell I used without having to customise it. If you want to learn more about Fish, there are good articles here on dev.to, and the Fish doc does a good job at presenting it.

Fisher, the plugin manager

Fisher is a simple and convenient plugin manager for Fish. With a single command, you can install new plugins, update them, or remove them, without ever having to change any file. Convenient! Therefore, I recommend to install it to simplify your plugin management.

Like most shells, Fish has quite a few plugin managers. Feel free to pick the one that suits you the best if you already have one. If you use a different plugin manager, you should be able to easily change the command to install the plugin with it.

Enabling SSH Agent at launch

While searching for a way to automatically enable SSH Agent on MacOS, I found that the usual commands you run on most Unix systems are valid but they are not taking advantage of MacOS' keychain. Using the keychain allow decryption of your private' key password when you login while protecting it when you aren't logged thanks to the encryption of the keychain.

The plugin was written and published by nifoc and ensure only a single session of the process is started in your user. I reviewed the code and did not find anything fishy in it, so I decided to use it.

To install it, simply run fisher install nifoc/ssh-agent-macos.fish. This will download the plugin and add its files in the right directories of your fish configuration folder (.config/fish).

To add your SSH key to the agent and save its password in the keychain, run ssh-add --apple-use-keychain. You will be prompted for your password and once entered correctly, it will be saved in your Mac' keychain.

Each time your shell will be opened, the key will be loaded by the agent and made available without having to enter your SSH password every time you use open an SSH session.

Security consideration

As using SSH Agent allows anyone with access to your session to use your SSH key as they want, remember to encrypt the disk of your Mac, add a password to your session (and diable auto-connect), and make sure to lock your session when going away from your computer. We never know what might happen!