Set up SSH Agent on Login

mpf writes "This is a simple procedure to allow you to be prompted at login for your SSH passphrase and have it optionally stored in your Mac OS X Keychain, so you'll never have to enter your passphrase again! It allows you to use ssh from AppleScripts and other non-interactive applications without entering your passphase." Nice idea. It combines two pieces of software, one that starts ssh-agent on login, and one that gets called to provide your ssh passphrase when needed (which can store/retrieve it in the Keychain). There's a small AppleScript to call ssh-add on login, to tie it all together.

Re:secure shell?

[Webmonger]

SSH can use several forms of authentication, including public key cryptography. You use a password to encrypt your private key, which you supply on login.

Once your private key is decrypted, SSH can use it to authenticate you on any site that uses your public key for authentication.

There is security at every step. You typically have to be logged in as yourself (or root) to read your private key, you have to supply a password to decrypt the key, and you can remove they key from memory at any time.

A worring idea.

[@madeus]

Hmm mostly *but not entirely* , a bad idea, IMO.

This is useful as long as you remeber to lock your screen when you are away from your keyboard.

But to be honest, I wouldn't count on that. (as even doing that is not sufficent)

If you store your passwords on your machine and permit programs to access your keychain (which stores them encrypted but *outputs* them as plain text), a malacious program could steal all your account passwords without you knowing (which is of course much worse than just stealing the password to your desktop).

If you make sure the Keychain prompted you before allowing applications to access the Keychain, then that would be all well and good, but then that would elimiate most of the useful functionality of this method (as it would be more annoying than simply having to type in a password in the first place, as it would involve a hand leaving the keyboard and going for the mouse/trackball to point and click).

Even making Terminal.app the only application which can access passwords on the Keychain without prompting does not work around this problem as it's trivial to call the Terminal and get it to do stuff (and, infact some installers do).

In my experience, I have enough problems convincing lusers not to save their passwords in clear text in CRT/SecureCRT login scripts.

I don't wish to detract from someone's work, but this seems like someone's excuse not to have to remeber passwords.

(If there are a lot of systems to look after and you can't possibly remeber the passwords for all of them (and your not able to use something like NIS/LDAP), a plain text/CSV and something like Cypher is probably a better bet.)

Re:A worring idea.

[Lazaru5]

All your points are mostly valid except for saying it's an excuse not to have to remember passwords. Why then do ssh-agent/ssh-add exist at all? Having all apps be able to access SSH_AUTH_SOCK and SSH_AGENT_PID is a good thing. It's ok to question this implementation, but the goal is a good one.

Re:A worring idea.

[daeley]

This is useful as long as you remeber to lock your screen when you are away from your keyboard.

In Mac OS X, under the Screen Saver System Preference, you can have it ask for a password before it lets you back in. You can also set a hot corner so that if you *do* remember, you can just shove your cursor into one corner and the screensaver turns on.

Re:A worring idea.

[usr122122121]

If you store your passwords on your machine and permit programs to access your keychain (which stores them encrypted but *outputs* them as plain text), a malacious program could steal all your account passwords without you knowing.

Your assumption that any program can access any keychain item at any time is false. Each keychain item has specific programs assigned to it with different realms. Take a look at your keychain program, and you'll see a section that restricts program access.
The real security risk that you should be worried about is the fact that if your keychain is unlocked, anyone can go into your keychain application and view in plaintext any of your passwords.

If you make sure the Keychain prompted you before allowing applications to access the Keychain, then that would be all well and good, but then that would elimiate most of the useful functionality of this method

There is an option that you're overlooking: in the keychain manager you can set programs to only prompt you once. Anytime the program itself is modified (if you make a new build, or if you install an update), you are presented with a dialog asking you if you want to allow the program to have access to the keychain item. you can say "deny", "allow", and "always allow"

I don't wish to detract from someone's work, but this seems like someone's excuse not to have to remeber passwords.

I believe that was the entire point!

I don't recommend doing this trick if you're going to leave your keychain unlocked all the time, but if you have it set up more securely it could prove to be a very helpful addition to your setup.

Re:A worring idea.

[@madeus]

No my assumptions are NOT false.

I know exactly how the Keychain works, but as I went to great pains to point out, this program fails to save time effectively if you are still prompted for authorization each time and if you are not, then it is insecure, and that's why IMO it's a bad idea.

For some reason (because it didn't fit your argument) you selectively ommited that part of my post from your reply and chose instead to ignore it.

And yes, I also know how to lock the screen in Mac OS X (WOW you can lock the screen? Who would have thought! You must be a rocket scientist!)

As for your reply of "I believe that was the entire point!" when I stated "this seems like someone's excuse not to have to remeber passwords." you would seem to have little experience managing systems responsibly.

Quite frankly, if you can't even remeber your password for a host, you shouldn't not be messing around at the command line at all and are likely to break something quite badly.

Re:secure shell?

[BigBir3d]

so what you are saying is when your laptop is stolen, you are completely covered? i think not.

Keychain

[auferstehung]

The original sh compatible keychain tool for Linux (and Unix in general) mentioned in the referenced link can be found on the Gentoo Linux website here. There are links to IBM developerWorks articles describing the concepts behind the keychain scripts as well as how to set it up and use it.

Re:Pattern of making OSX like OS 9

[jkujawa]

I don't think this is so much a password-free login as single sign-on. The keychain database is unlocked when the user logs in, and from then on, any applications which have been allowed to use it can get their registered passwords from the database, without having to ask the user.

Some people like single sign-on, others don't. Personally, I like its convenience. I think it should be done correctly, the database should, for instance, be relocked when the screen is locked, but it's a good solution for users, if used carefully.

Re:Pattern of making OSX like OS 9

[pudge]

Um ... actually, this is making it more Unix-like (as if Unix can be made more Unix-like) ... on Mac OS 9 I have no way to set up an ssh-agent (although NiftyTelnet does cache your ssh passphrase in memory, and MacSSH can cache it in the Keychain). On Linux, when I log in to my graphical UI, I set up one ssh-agent for all my terminals etc. to use. It's the same thing. ssh is made for this. All this does is make it so the ssh-agent is started automatically and your key is added to it automatically, by using the Keychain. Sure, the Keychain or SSH could have security flaws in them, but is that's the case, there are far bigger problems than merely this.

Is doing this like...

[yack0]

using keygen to generate a identity and identity.pub in your local .ssh directory, then copying that identity.pub to the remote server in a ~/.ssh/authorized_keys (perm 644) file?

While that method also assumes physical security, I don't really worry about that. My iBook secures the screen if I'm idle for more than 5 minutes and I have a sleep corner. I don't leave my desk without using the sleep corner to lock up.

I know a lot of people that use this, the trick is to keep the identity file secure. That's your private key and needs to be safe.

Re:Is doing this like...

[Lazaru5]

That's not what this is at all. You of course _do_ generate your keys like normal and distribute your .pub key to your server(s) of choice.

This is akin to starting X via "ssh-agent startx" (or your ~/.X* scripts if you use [x|g|k|w]dm, etc) so that all applications inherit the SSH_AUTH_SOCK and SSH_AGENT_PID environment variables.

This also provides an analog to the X based openssh-askpass dialog.

Finally, and this is the novel part...it adds it to MacOSX's KeyChain system so that all apps - not just Terminal.app and [x|a|e]term - can use it. Their example is Project Builder which can be set to use SSH to do CVS logins instead of the default (which is presumably pserver).

Re:secure shell?

[Lazaru5]

He meant private key of course. The public key is readable by world and installed on the server side. It's the private key that's encrypted with your passphrase.

In response to BigBir3d:

He didn't say that at all.

In response to AC:

BigBir3d's point was that once someone gets ahold of your private - albeit encrypted - ssh key, they can bruteforce your passphrase. PKI is only as secure as your keys (length/phrase/security[ie, Do You Know Where Your Private Keys Are?])

Re:secure shell?

[scenic]

no, not completely covered. But, with proper management you can manage your risk. Just remove the key that got stolen from your remote hosts. The issue then becomes home many keys and where they are, and ancilliary issues like did you use the same passphrase on other keys on other computers (bad user, bad, bad).

At the end of the day, it's all about managing risk. So, you have to take the proper safeguards in order to balance your convenience.

Sujal

My solution..

[lcracker]

I wrote a perl script that manages ssh-agent processes that gets executed in the .login. Basically the way it works is that whenever I start a terminal session it sets the proper environment variables if ssh-agent is running, otherwise, it starts ssh-agent (therefore asking for password). I also wrote some scripts to add my public key to remote hosts. I use SSHPassKey for ProjectBuilder, which seems to integrate with my system pretty well.

---

#!/usr/bin/perl
sub findpid {
$addkeys = shift;
open FILE,"$ENV{HOME}/.ssh/.ssh-agent.csh";
$sock = ;
$pid = ;
close FILE;
$sock =~ s/^.*?\ .*?\ (.*?);\n$/$1/;
$pid =~ s/^.*?\ .*?\ (.*?);\n$/$1/;
$lines = 0;
if ($pid) {
open PS,"/bin/ps -p $pid|";
;
while () { ++$lines; }
close PS;
}
if ($lines) {
$ENV{'SSH_AUTH_SOCK'} = $sock;
$ENV{'SSH_AGENT_PID'} = $pid;
if ($addkeys) {`ssh-add $ENV{HOME}/.ssh/identity $ENV{HOME}/.ssh/id_dsa`;}
} else {
print "Starting ssh-agent...\n";
`ssh-agent > $ENV{HOME}/.ssh/.ssh-agent.csh`;
findpid(1);
}
}
findpid();

Re:secure shell?

[Webmonger]

Yes, you very well covered if your laptop gets stolen, as long as the power's off. The only copy of your private key is on the hard disk, and your passphrase is required to use it, because it's encrypted.

If your laptop is stolen while powered on with an active login session, you may be screwed.

Essentially it goes:

Remote machine: At the request of user bar, I will permit any machine that can prove it has private key foo to log in as user bar.

Local machine: If user bar (or baz) supplies the password for key foo, I can decrypt it. If I can decrypt key foo, I will use it to log into the remote machine.

So in fact, the remote machine doesn't trust your local machine, it trusts the key.

The only decrypted copy of the key is in memory. If you're really unlucky, it got swapped to disk, and was recovered by the person who stole your laptop. Recovering a key like this is nontrivial to do, but not impossible.

Re:secure shell?

[Webmonger]

Of course, some OSes support encrypted swap. . .

Re:Pattern of making OSX like OS 9

[phyxeld]

I think you are confused. The article wasn't about bypassing login to the mac itself (that can easily be done in the Login system pref panel, on any osx mac), but rather bypassing passwords for remote systems. There is no way (that I know of at least) to get ssh keys working this elgantly in OS9.

I'm in and out of a couple different shell servers all day, so this is a huge timesaver for me. And it is pretty secure, because every time I close the lid of my ibook the system sleeps, and everytime the system sleeps, my keychain is locked. And I've got a password on my screensaver too. And I don't have my actual remote passwords stored. It's beautiful.