ssh-add, ssh-agent, OS X keychain



I have been at this long far too long, hopefully someone more familiar with ssh and how it interacts with OS X and the OS X keychain will be able to point me in the right direction.

In short, I am trying to remove my identities from ssh. However, OS X seems to make this a bit mysterious.

From either a cold boot, or the login screen in OS X, open a shell, and initiate an ssh session (ssh user@xxxxxxxxxxx). At this point, my keys kick in, and an OS X secure password dialogue box is presented. I am asked to enter in a password, and have the option to save it in the OS X keychain. I chose to save it.

From that point forward, I can make any ssh login without being pestered for a password. It seems that ssh-agent was started, with the -l argument, which I can find no documentation as to what it does.

ssh-add -l shows that it is had loaded my key just fine.

If I reboot, or logout of my account, since my password has been saved in the OS X keychain, any new ssh attempt will ask me to *unlock my keychain*. ssh-add picks up the remote ssh password from the OS X keychain, and allows me in.

I would like this behavior on wake from sleep. I have managed to get OS X to run a script of my choosing on wake from sleep. However, no command I seem to issue will reset ssh-agent back to the same state it was in pre boot, or just after a user login.

With my ssh data now stored in the OS X keychain, here is a working example:
1) Logout of OS X
2) Login to my account on OS X
3) ssh user@xxxxxxxxxxx
4) Alert: please unlock your keychain

It is near step #1 that I want to mimic in script. I have tried:

launchctl stop org.openbsd.ssh-agent
ssh-add -l still shows me my fingerprint

launchctl unload /path/to/org.openbsd.ssh-agent.plist
launchctl load /path/to/org.openbsd.ssh-agent.plist
Secure password entry form, not the unlock keychain form, asking me if I again want to save a password that already exists in the OS X keychain.

ssh-add -d and ssh-add -D
Secure password entry form, same as above.

I have also sent off kill commands to ssh-agent, which again, gives me a secure password field, but not the unlock keychain request.

So far, the only way I can make this work, is to actually log out or restart. Does anyone know how to restore the state of ssh-agent to how is is just after a logout?
--
Scott * If you contact me off list replace talklists@ with scott@ *