User profile for user: Kris Beckwith
Kris Beckwith Author
User level: Level 1
30 points

remote login and keychain

I'm ssh'ing from my home machine into my OSX box at work.
On that machine, I have a bunch of passwords for ssh keys
stored in my login keychain that I use for accessing other machines.
If I'm sat in front of the machine, then,
provided that my login keychain is unlocked, I can access all
of the keys without having to type the individual passwords.
However, the same behavior doesn't happen when I ssh into the
machine from home - I'm asked for the password for each individual
ssh key when I try to use it, even if I've first run

security unlock-keychain <login.keychain>

How do I get ssh to read the appropriate ssh key password directly
from the keychain on the remote machine?

MacBook Pro 15", Mac Pro, Mac OS X (10.6.1)

Posted on Nov 6, 2009 12:34 PM

Reply
Question marked as ⚠️ Top-ranking reply
User profile for user: Jun T.
Jun T.
User level: Level 4
2,191 points

Posted on Nov 8, 2009 5:57 AM

When you are sitting in front of the OSX box at work and logs into it, then ssh-agent is automatically started for you (to be more precise, it is started by launchd on demand). If you open a Terminal on the OSX box, then the environment variable SSH AUTHSOCK is already set (you can see this by typing "echo $SSH AUTHSOCK" or "env" in the terminal). When you ssh from the OSX box to a remote host, then the ssh client communicates with the ssh-agent through the socket, and the ssh-agent gets the pass phrase from the keychain; so you need not type the path phrase (assuming the keychain is already unlocked).

When you are at home and ssh to the OSX box, then no ssh-agent is started on the OSX box automatically; if you type "echo $SSH AUTHSOCK" then you will get null response. So you must start an ssh-agent and set SSH AUTHSOCK by yourself. This can be done by running 

eval $(ssh-agent)

after logging into the OSX box. Then by unlocking the keychain, you can ssh to the remote hosts without typing the pass phrase.
View in context
1 reply
Sort By: 
Question marked as ⚠️ Top-ranking reply
User profile for user: Jun T.
Jun T.
User level: Level 4
2,191 points

Nov 8, 2009 5:57 AM in response to Kris Beckwith

When you are sitting in front of the OSX box at work and logs into it, then ssh-agent is automatically started for you (to be more precise, it is started by launchd on demand). If you open a Terminal on the OSX box, then the environment variable SSH AUTHSOCK is already set (you can see this by typing "echo $SSH AUTHSOCK" or "env" in the terminal). When you ssh from the OSX box to a remote host, then the ssh client communicates with the ssh-agent through the socket, and the ssh-agent gets the pass phrase from the keychain; so you need not type the path phrase (assuming the keychain is already unlocked).

When you are at home and ssh to the OSX box, then no ssh-agent is started on the OSX box automatically; if you type "echo $SSH AUTHSOCK" then you will get null response. So you must start an ssh-agent and set SSH AUTHSOCK by yourself. This can be done by running 

eval $(ssh-agent)

after logging into the OSX box. Then by unlocking the keychain, you can ssh to the remote hosts without typing the pass phrase.
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

remote login and keychain

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up