SSH dialog: Cannot connect when default key (~/.ssh/id_ed25519) is encrypted
Open 💬 31 comments Opened Feb 19, 2026 by dnguy078
Description
The Claude Desktop SSH connection dialog fails when ~/.ssh/id_ed25519 exists and is passphrase-protected. The dialog's built-in SSH library always tries to parse default key files in ~/.ssh/ and cannot handle encrypted keys, with no way to prompt for a passphrase.
Steps to reproduce
- Have a passphrase-encrypted
~/.ssh/id_ed25519key - Open Claude Desktop → environment dropdown → + Add SSH connection
- Fill in SSH Host (e.g.
user@hostname) and leave Identity File empty - Click Add SSH connection
Expected behavior
The dialog should either:
- Prompt for a passphrase
- Use the SSH agent (which has the unlocked key)
- Respect
~/.ssh/configsettings (IdentityFile,IdentitiesOnly)
Actual behavior
Error: Cannot parse privateKey: Encrypted private OpenSSH key detected, but no passphrase given
Additional observations
- Setting Identity File to an unencrypted ed25519 or PEM RSA key also fails with
Cannot parse privateKey: Unsupported key format - SSH config (
~/.ssh/config/~/.ssh/config.d/) is completely ignored —IdentityFile,IdentitiesOnly, andProxyCommandhave no effect - The only workaround is to temporarily rename
~/.ssh/id_ed25519out of the way so the dialog finds no default key and falls back to the SSH agent
Environment
- macOS (Apple Silicon)
- Claude Desktop (latest)
- Key type: ed25519, OpenSSH format, passphrase-encrypted
31 Comments
Found 2 possible duplicate issues:
This issue will be automatically closed as a duplicate in 3 days.
🤖 Generated with Claude Code
Yeah, this is a frustrating one.
Additional Context: SSH Agent Integration Not Working
Setup
UseKeychain yes,AddKeysToAgent yes, and multiple IdentityFile entriesIssue Reproduction
~/.ssh/1password.bdmorin.id_ed25519.keyCannot parse privateKey: Encrypted private OpenSSH key detected, but no passphrase givenRoot Cause Analysis
Claude Desktop is reading key files directly instead of using the running ssh-agent that already has decrypted keys available. This completely bypasses the infrastructure that's already in place (Keychain, agent, SSH config).
Impact
Expected Fix Priority
This should be high priority because:
Confirmed regression — worked in build 1.1.3189, broken in current builds
I can confirm this bug and have identified it as a regression. It worked the first time I tried it when the feature was introduced and it subsequently stopped working. I downloaded build 1.1.3189 (Feb 17) via Uptodown, launched it offline to prevent auto-update, and was able to connect to an SSH server with no issues. Current builds fail with the same error described in this issue.
Environment
id_ed25519andid_rsa, both loaded and unlocked in macOS ssh-agentssh-add -lconfirms both keys are available$SSH_AUTH_SOCKis identical across all terminals and inside Claude DesktopReal-world consequence: server lockout
This bug caused me to get locked out of a remote server. Because the app repeatedly attempts to authenticate with multiple keys and fails on each one, clicking "Try again" in the error message rapidly burns through the server's
MaxAuthTrieslimit (default 6).Anyone connecting to a server with rate limiting or intrusion detection should be aware that this bug can lock you out.
Summary
| Build | SSH Status |
|-------|-----------|
| 1.1.3189 (Feb 17) | ✅ Works — connects successfully |
| Current builds (1.1.3830+) | ❌ Fails — encrypted key parse error |
The regression was likely introduced somewhere between builds 1.1.3189 and 1.1.3830 (roughly Feb 17–21).
Got the same issue, tried using ssh agent in Powershell, but does not work, but strangely enough, even if I create a new key without password protection, then create a new SSH remote connection with that key, i get the same error message.
The only way to get the new non-password-protected key to work is by uninstalling and reinstalling the windows app.
Got the similar problem as "Cannot parse privateKey: Encrypted private OpenSSH key detected, but no passphrase given Try again" in windows 11, Claude 1.1.4328 (d8e391).
Same issue for Claude 1.1.4498 (24f768) 2026-02-26T19:47:09.000Z on MacOSX
When I connected to mac it said Darwin was not supported.
When I try WSL2 I get
Still a problem. Running Claude 1.1.5368 (d12d02) 2026-03-05T17:29:33.000Z
Error:
Anyone found a workaround yet?
Im planning on installing keys on my hosts that dont have passphrases until its fixed.
Already tried, didn't work for me
Got the same issue on macOS 26.3.1 (25D2128) with Claude 1.1.7203 (034f07) 2026-03-17T17:48:28.000Z.
The only workaround that worked for me was temporarily renaming my default ~/.ssh/id_ed25519, then adding the specific key I actually wanted to use to the SSH agent:
After that, in Claude’s SSH setup I used:
That finally worked for me.
bumping this
it should just work the passphrase protected ssh key that you have added to your keychain agent
On both W11 and Tahoe latest, using 1password and ssh-agent
Claude 1.1.9493 (b58a0b) 2026-03-29T03:33:07.000Z
I am only able to connect with dedicated non password protected keys. I am unable to connect using encrypted keys. Nor will it unlock using decrypted keys loaded in ssh-agent.
It still seems to be broken on Mac OS, can anyone advise me on this?
The workarounds aren't working, the key is already part of the
ssh-addagents+1, waiting for resolution for Intel Macs as well
+1, I cannot use Claude Code (Mac OS) because ssh access with key with passphrase is needed. Is this going to be prioritized?
The workaround from @YanPina was the only way I could get this to work. It doesn't seem to matter at all what you put into the "Identity File" field -- even creating a unencrypted key and explicitly putting the path to that key as the identity file doesn't fix the problem.
If your _default_ key is encrypted, you cannot connect.
Still an issue on macOS
Claude 1.569.0 (49894a)
2026-04-02T20:01:42.000Z
This works great, but this bug should still be fixed as it means we wan't use our default key to connect to anything anymore without going and renaming the file again. Huge pain!
Hey @anthropics, this bug has been active for nearly a month without a response or a fix.
Please prioritize fixing your software, especially since you’ve blocked other agent harnesses for subscribers.
This is very poor customer service.
The issue is a bit more general - Claude Code is trying to read all keys in
~/.sshand fails if any key in the directory is encrypted.Instead of doing...whatever you're currently doing, please use a standard ssh library. OpenSSH is 25 years old, you'll never be able to support all possible workflows (cert authorities, Yubikeys, etc) with an in-house solution.
Confirmed fix for macOS + Tailscale setup (Apr 2026)
Adding a working solution for those still stuck. The core issue for me: the key generated by
ssh-keygenwithout explicit-N ""can be misread by ssh2 as encrypted even when it isn't. Additionally,ssh-copy-idsilently skips installing the new key if your ssh-agent has an old key cached that's already in the remote'sauthorized_keys.Environment: MacBook Air (client) → Mac mini over Tailscale, Claude Desktop 1.1.8629, Claude Code CLI 2.1.109
Prerequisites first
claudeis in PATH for non-interactive SSH on the remote (the app spawns a non-login shell). If it's in~/.local/bin, terminal SSH works but the Desktop app can't find it. Fix on the remote machine:``
bash
`echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.zshenv
ssh user@remote 'claude --version'` — must work before touching the Desktop app.Verify:
claude /loginon the remote.The fix (run on client/laptop)
The
-f -iflags onssh-copy-idare critical — without them, if your ssh-agent has the old key cached and it's already inauthorized_keys, the command silently skips the new key and says "all keys already installed."Desktop app dialog settings
user@100.x.x.x(Tailscale IP — MagicDNS may not resolve correctly in the app's SSH context)~/.ssh/id_ed25519Red herrings that wasted hours
[sessions-bridge] Poll error, backing offinmain.log— unrelated, that's the Remote Control feature polling Anthropic's cloud, not SSHssh user@host 'claude --version'works in terminal, Tailscale isn't the issueHope this saves someone a few hours.
It works for me since this version. No extra configuration for SSH needed.
<img width="432" height="472" alt="Image" src="https://github.com/user-attachments/assets/c177776a-412a-426a-8ddd-df03140953a6" />
I can confirm that it works now using the 1password SSH agent.
Claude for Mac
Version 1.3109.0 (35cbf6)
Same issue on windows 11.
2026-04-17 17:38:03 [info] [SSH2Connection] Skipping identity file ~/.ssh/id_ed25519: Encrypted private OpenSSH key detected, but no passphrase givenClassic, they shout about a new feature everyone wants to use, and then fail to fix the months-long bugs preventing the average developer from using said feature...
Running this powershell export to force node ssh2 to use openssh keys properly:
I can confirm that it works now using standard Mac SSH key agent
Claude for Mac
Claude 1.3109.0 (35cbf6) 2026-04-16T20:32:01.000Z
Confirmed working for encrypted keys in directory.
Still not working for certificate authorities. Specifically, if I have
~/.ssh/key,~/.ssh/key.pub, and~/.ssh/key-cert.pub, Claude doesn't send the cert file to the server.This is an issue because it requires special-casing agent sandboxes to use
authorized_keysinstead ofAuthorizedPrincipalsFile.Additionally, please present the client side error to the user. Currently, Claude only shows "Connection failed. Try again?", which is opaque and requires debugging connection errors on the server side.
2026-04-23 10:01:31 [info] [SSH2Connection] Skipping identity file ~/.ssh/second_id_ed25519: Encrypted private OpenSSH key detected, but no passphrase given
I have already added
second_id_ed25519to ssh-agent and macOS keychain, but It doesn't work : (Works for me too for some time.
I have all the ssh configs related to jump proxy, custom port and so on done in
~/.ssh/configThe ssh keys are encrypted in my 1password vault which is accessible only with the TouchID.