Set up SSH Agent on Login

mpf writes "This is a simple procedure to allow you to be prompted at login for your SSH passphrase and have it optionally stored in your Mac OS X Keychain, so you'll never have to enter your passphrase again! It allows you to use ssh from AppleScripts and other non-interactive applications without entering your passphase." Nice idea. It combines two pieces of software, one that starts ssh-agent on login, and one that gets called to provide your ssh passphrase when needed (which can store/retrieve it in the Keychain). There's a small AppleScript to call ssh-add on login, to tie it all together.

Re:secure shell?

[Webmonger]

SSH can use several forms of authentication, including public key cryptography. You use a password to encrypt your private key, which you supply on login.

Once your private key is decrypted, SSH can use it to authenticate you on any site that uses your public key for authentication.

There is security at every step. You typically have to be logged in as yourself (or root) to read your private key, you have to supply a password to decrypt the key, and you can remove they key from memory at any time.

Is doing this like...

[yack0]

using keygen to generate a identity and identity.pub in your local .ssh directory, then copying that identity.pub to the remote server in a ~/.ssh/authorized_keys (perm 644) file?

While that method also assumes physical security, I don't really worry about that. My iBook secures the screen if I'm idle for more than 5 minutes and I have a sleep corner. I don't leave my desk without using the sleep corner to lock up.

I know a lot of people that use this, the trick is to keep the identity file secure. That's your private key and needs to be safe.

Re:Is doing this like...

[Lazaru5]

That's not what this is at all. You of course _do_ generate your keys like normal and distribute your .pub key to your server(s) of choice.

This is akin to starting X via "ssh-agent startx" (or your ~/.X* scripts if you use [x|g|k|w]dm, etc) so that all applications inherit the SSH_AUTH_SOCK and SSH_AGENT_PID environment variables.

This also provides an analog to the X based openssh-askpass dialog.

Finally, and this is the novel part...it adds it to MacOSX's KeyChain system so that all apps - not just Terminal.app and [x|a|e]term - can use it. Their example is Project Builder which can be set to use SSH to do CVS logins instead of the default (which is presumably pserver).

Re:secure shell?

[Lazaru5]

He meant private key of course. The public key is readable by world and installed on the server side. It's the private key that's encrypted with your passphrase.

In response to BigBir3d:

He didn't say that at all.

In response to AC:

BigBir3d's point was that once someone gets ahold of your private - albeit encrypted - ssh key, they can bruteforce your passphrase. PKI is only as secure as your keys (length/phrase/security[ie, Do You Know Where Your Private Keys Are?])

Re:secure shell?

[scenic]

no, not completely covered. But, with proper management you can manage your risk. Just remove the key that got stolen from your remote hosts. The issue then becomes home many keys and where they are, and ancilliary issues like did you use the same passphrase on other keys on other computers (bad user, bad, bad).

At the end of the day, it's all about managing risk. So, you have to take the proper safeguards in order to balance your convenience.

Sujal

Re:A worring idea.

[daeley]

This is useful as long as you remeber to lock your screen when you are away from your keyboard.

In Mac OS X, under the Screen Saver System Preference, you can have it ask for a password before it lets you back in. You can also set a hot corner so that if you *do* remember, you can just shove your cursor into one corner and the screensaver turns on.

Re:A worring idea.

[usr122122121]

If you store your passwords on your machine and permit programs to access your keychain (which stores them encrypted but *outputs* them as plain text), a malacious program could steal all your account passwords without you knowing.

Your assumption that any program can access any keychain item at any time is false. Each keychain item has specific programs assigned to it with different realms. Take a look at your keychain program, and you'll see a section that restricts program access.
The real security risk that you should be worried about is the fact that if your keychain is unlocked, anyone can go into your keychain application and view in plaintext any of your passwords.

If you make sure the Keychain prompted you before allowing applications to access the Keychain, then that would be all well and good, but then that would elimiate most of the useful functionality of this method

There is an option that you're overlooking: in the keychain manager you can set programs to only prompt you once. Anytime the program itself is modified (if you make a new build, or if you install an update), you are presented with a dialog asking you if you want to allow the program to have access to the keychain item. you can say "deny", "allow", and "always allow"

I don't wish to detract from someone's work, but this seems like someone's excuse not to have to remeber passwords.

I believe that was the entire point!

I don't recommend doing this trick if you're going to leave your keychain unlocked all the time, but if you have it set up more securely it could prove to be a very helpful addition to your setup.