Q: ssh remembering passphrases
Before upgrading to Sierra, the first time I ran an ssh command each day, it would ask for my passphrase and store the key, making it usable by other ssh processes, anywhere I'm logged in, thanks to "agent forwarding". This is what I'm used to, and is identical to how things work on my other workstation (which runs Linux.)
After upgrading to Sierra, my SSH keys' passphrases are somehow being "remembered", but not by ssh-agent. I am able to ssh from my laptop directly into any of the servers I manage, without being asked for a passphrase, but because the agent does not contain any keys (i.e. "ssh-add -l" returns "The agent has no identities."), I am not able to ssh from that server into another server, which also makes "scp" and "git" commands not work, until I go back to the laptop itself and run "ssh-add".
I've tried using "Keychain Access" to find and delete the item containing the passphrase, but none of the items in any of my keychain files (login, iCloud, System, or System Roots) contain "ssh" anywhere in their titles. I've also tried "ssh-add -K -D" and "ssh-add -K -d /Users/xxx/.ssh/id_rsa". Neither command appears to have any effect, they are not clearing wherever the passphrases are stored.
The output from "ssh -vvv server1" contains the following:
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/xxx/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp SHA256:m59cRsLlMQHZk1KlO5fJNlaYBhCIyrE3eF4YaX/+q/A
debug3: sign_and_send_pubkey: RSA SHA256:m59cRsLlMQHZk1KlO5fJNlaYBhCIyrE3eF4YaX/+q/A
debug3: Search for item with query: {
acct = "/Users/xxx/.ssh/id_rsa";
agrp = "com.apple.ssh.passphrases";
class = genp;
labl = "SSH: /Users/xxx/.ssh/id_rsa";
nleg = 1;
"r_Data" = 1;
svce = OpenSSH;
}
debug2: using passphrase from keychain
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to server1 ([192.168.1.209]:22).
How can I make ssh NOT remember the passphrases for my keys?
Posted on Sep 26, 2016 7:29 AM
I was able to find two options which, when used together in your "~/.ssh/config" file, will restore the previous (and what I consider to be the correct) behaviour:
- UseKeychain No - Makes ssh NOT store the passphrases in the keychain (or whatever this sqlite3 file is... I find it rather strange that the items in this file don't show up in "Keychain Access". Maybe that's a bug in Keychain Access?)
Also, note that this option is not documented in "man ssh_config" (where it should be.)
- AddKeysToAgent Yes - Makes ssh automatically add they key (not its passphrase, but the key itself) to the ssh-agent process.
To illustrate, I have the following added to the end of my ~/.ssh/config file:
Host * UseKeychain no AddKeysToAgent yes |
And now, the first time I ssh into a server after rebooting the laptop, (1) it adds the key to the agent, and (2) it does NOT store the passphrase in the keychain, or in this other sqlite file.
Posted on Oct 13, 2016 4:21 PM