Set up SSH Agent on Login

mpf writes "This is a simple procedure to allow you to be prompted at login for your SSH passphrase and have it optionally stored in your Mac OS X Keychain, so you'll never have to enter your passphrase again! It allows you to use ssh from AppleScripts and other non-interactive applications without entering your passphase." Nice idea. It combines two pieces of software, one that starts ssh-agent on login, and one that gets called to provide your ssh passphrase when needed (which can store/retrieve it in the Keychain). There's a small AppleScript to call ssh-add on login, to tie it all together.

A worring idea.

[@madeus]

Hmm mostly *but not entirely* , a bad idea, IMO.

This is useful as long as you remeber to lock your screen when you are away from your keyboard.

But to be honest, I wouldn't count on that. (as even doing that is not sufficent)

If you store your passwords on your machine and permit programs to access your keychain (which stores them encrypted but *outputs* them as plain text), a malacious program could steal all your account passwords without you knowing (which is of course much worse than just stealing the password to your desktop).

If you make sure the Keychain prompted you before allowing applications to access the Keychain, then that would be all well and good, but then that would elimiate most of the useful functionality of this method (as it would be more annoying than simply having to type in a password in the first place, as it would involve a hand leaving the keyboard and going for the mouse/trackball to point and click).

Even making Terminal.app the only application which can access passwords on the Keychain without prompting does not work around this problem as it's trivial to call the Terminal and get it to do stuff (and, infact some installers do).

In my experience, I have enough problems convincing lusers not to save their passwords in clear text in CRT/SecureCRT login scripts.

I don't wish to detract from someone's work, but this seems like someone's excuse not to have to remeber passwords.

(If there are a lot of systems to look after and you can't possibly remeber the passwords for all of them (and your not able to use something like NIS/LDAP), a plain text/CSV and something like Cypher is probably a better bet.)

Keychain

[auferstehung]

The original sh compatible keychain tool for Linux (and Unix in general) mentioned in the referenced link can be found on the Gentoo Linux website here. There are links to IBM developerWorks articles describing the concepts behind the keychain scripts as well as how to set it up and use it.

My solution..

[lcracker]

I wrote a perl script that manages ssh-agent processes that gets executed in the .login. Basically the way it works is that whenever I start a terminal session it sets the proper environment variables if ssh-agent is running, otherwise, it starts ssh-agent (therefore asking for password). I also wrote some scripts to add my public key to remote hosts. I use SSHPassKey for ProjectBuilder, which seems to integrate with my system pretty well.

---

#!/usr/bin/perl
sub findpid {
$addkeys = shift;
open FILE,"$ENV{HOME}/.ssh/.ssh-agent.csh";
$sock = ;
$pid = ;
close FILE;
$sock =~ s/^.*?\ .*?\ (.*?);\n$/$1/;
$pid =~ s/^.*?\ .*?\ (.*?);\n$/$1/;
$lines = 0;
if ($pid) {
open PS,"/bin/ps -p $pid|";
;
while () { ++$lines; }
close PS;
}
if ($lines) {
$ENV{'SSH_AUTH_SOCK'} = $sock;
$ENV{'SSH_AGENT_PID'} = $pid;
if ($addkeys) {`ssh-add $ENV{HOME}/.ssh/identity $ENV{HOME}/.ssh/id_dsa`;}
} else {
print "Starting ssh-agent...\n";
`ssh-agent > $ENV{HOME}/.ssh/.ssh-agent.csh`;
findpid(1);
}
}
findpid();

Re:secure shell?

[Webmonger]

Yes, you very well covered if your laptop gets stolen, as long as the power's off. The only copy of your private key is on the hard disk, and your passphrase is required to use it, because it's encrypted.

If your laptop is stolen while powered on with an active login session, you may be screwed.

Essentially it goes:

Remote machine: At the request of user bar, I will permit any machine that can prove it has private key foo to log in as user bar.

Local machine: If user bar (or baz) supplies the password for key foo, I can decrypt it. If I can decrypt key foo, I will use it to log into the remote machine.

So in fact, the remote machine doesn't trust your local machine, it trusts the key.

The only decrypted copy of the key is in memory. If you're really unlucky, it got swapped to disk, and was recovered by the person who stole your laptop. Recovering a key like this is nontrivial to do, but not impossible.