Slashdot Mirror

← Back to Stories (view on slashdot.org)

Set up SSH Agent on Login

Posted by pudge on from the me-like dept.

mpf writes "This is a simple procedure to allow you to be prompted at login for your SSH passphrase and have it optionally stored in your Mac OS X Keychain, so you'll never have to enter your passphrase again! It allows you to use ssh from AppleScripts and other non-interactive applications without entering your passphase." Nice idea. It combines two pieces of software, one that starts ssh-agent on login, and one that gets called to provide your ssh passphrase when needed (which can store/retrieve it in the Keychain). There's a small AppleScript to call ssh-add on login, to tie it all together.

3 of 36 comments (clear)

  1. Re:secure shell? by Webmonger · · Score: 5, Informative

    SSH can use several forms of authentication, including public key cryptography. You use a password to encrypt your private key, which you supply on login.

    Once your private key is decrypted, SSH can use it to authenticate you on any site that uses your public key for authentication.

    There is security at every step. You typically have to be logged in as yourself (or root) to read your private key, you have to supply a password to decrypt the key, and you can remove they key from memory at any time.

  2. A worring idea. by @madeus · · Score: 4, Interesting

    Hmm mostly *but not entirely* , a bad idea, IMO.

    This is useful as long as you remeber to lock your screen when you are away from your keyboard.

    But to be honest, I wouldn't count on that. (as even doing that is not sufficent)

    If you store your passwords on your machine and permit programs to access your keychain (which stores them encrypted but *outputs* them as plain text), a malacious program could steal all your account passwords without you knowing (which is of course much worse than just stealing the password to your desktop).

    If you make sure the Keychain prompted you before allowing applications to access the Keychain, then that would be all well and good, but then that would elimiate most of the useful functionality of this method (as it would be more annoying than simply having to type in a password in the first place, as it would involve a hand leaving the keyboard and going for the mouse/trackball to point and click).

    Even making Terminal.app the only application which can access passwords on the Keychain without prompting does not work around this problem as it's trivial to call the Terminal and get it to do stuff (and, infact some installers do).

    In my experience, I have enough problems convincing lusers not to save their passwords in clear text in CRT/SecureCRT login scripts.

    I don't wish to detract from someone's work, but this seems like someone's excuse not to have to remeber passwords.

    (If there are a lot of systems to look after and you can't possibly remeber the passwords for all of them (and your not able to use something like NIS/LDAP), a plain text/CSV and something like Cypher is probably a better bet.)

  3. Re:Pattern of making OSX like OS 9 by jkujawa · · Score: 4, Insightful

    I don't think this is so much a password-free login as single sign-on. The keychain database is unlocked when the user logs in, and from then on, any applications which have been allowed to use it can get their registered passwords from the database, without having to ask the user.

    Some people like single sign-on, others don't. Personally, I like its convenience. I think it should be done correctly, the database should, for instance, be relocked when the screen is locked, but it's a good solution for users, if used carefully.