ssh-add, ssh-agent, OS X keychain



I have been at this long far too long, hopefully someone more familiar with ssh and how it interacts with OS X and the OS X keychain will be able to point me in the right direction.

In short, I am trying to remove my identities from ssh. However, OS X seems to make this a bit mysterious.

From either a cold boot, or the login screen in OS X, open a shell, and initiate an ssh session (ssh user@xxxxxxxxxxx). At this point, my keys kick in, and an OS X secure password dialogue box is presented. I am asked to enter in a password, and have the option to save it in the OS X keychain. I chose to save it.

From that point forward, I can make any ssh login without being pestered for a password. It seems that ssh-agent was started, with the -l argument, which I can find no documentation as to what it does.

ssh-add -l shows that it is had loaded my key just fine.

If I reboot, or logout of my account, since my password has been saved in the OS X keychain, any new ssh attempt will ask me to *unlock my keychain*. ssh-add picks up the remote ssh password from the OS X keychain, and allows me in.

I would like this behavior on wake from sleep. I have managed to get OS X to run a script of my choosing on wake from sleep. However, no command I seem to issue will reset ssh-agent back to the same state it was in pre boot, or just after a user login.

With my ssh data now stored in the OS X keychain, here is a working example:
1) Logout of OS X
2) Login to my account on OS X
3) ssh user@xxxxxxxxxxx
4) Alert: please unlock your keychain

It is near step #1 that I want to mimic in script. I have tried:

launchctl stop org.openbsd.ssh-agent
ssh-add -l still shows me my fingerprint

launchctl unload /path/to/org.openbsd.ssh-agent.plist
launchctl load /path/to/org.openbsd.ssh-agent.plist
Secure password entry form, not the unlock keychain form, asking me if I again want to save a password that already exists in the OS X keychain.

ssh-add -d and ssh-add -D
Secure password entry form, same as above.

I have also sent off kill commands to ssh-agent, which again, gives me a secure password field, but not the unlock keychain request.

So far, the only way I can make this work, is to actually log out or restart. Does anyone know how to restore the state of ssh-agent to how is is just after a logout?
--
Scott * If you contact me off list replace talklists@ with scott@ *



Relevant Pages

  • Keychain works on tty, but not in Gnome
    ... I use Keychain to cache my GPG key in order to ssh to various machines ... and requests the passphrase for the key I want to ...
    (Fedora)
  • Re: [opensuse] rsyn and ssh pass
    ... I don't want to have a permanent open ssh from my computer to the ... Or is it possible to have a script ask for a pass and use it four ... install keychain ... openSUSE - SUSE Linux is my linux ...
    (SuSE)
  • Re: using ssh without a password
    ... >> but if I try connecting via ssh it still asks for a password. ... Then as root cat ... startup a ssh-agent (or look into keychain) as user. ...
    (comp.os.linux.networking)
  • ssh/keychain dilemma
    ... But I'm realizing that the way I've been doing it (i.e., having the cron job ssh in using a key without a passphrase) is rather insecure. ... The documentation generally recommendeds to start keychain when you log in, which then lets all subsequent processes on the box access the ssh keys. ... I imagine that it could be possible to start keychain on system boot, but I'm not thrilled with that idea either, as it would interrupt the boot sequence with a password prompt and thus prevent completely unattended booting of the file server. ...
    (SSH)
  • Re: ssh-agent without graphical display manager? how?
    ... But when I log in this way, it appears that ssh-agent is ... I use the "keychain" package plus these scripts and snippets to start and ... interactivity. ... # regularly times out keys. ...
    (Debian-User)