John Simpson

Q: ssh remembering passphrases

Before upgrading to Sierra, the first time I ran an ssh command each day, it would ask for my passphrase and store the key, making it usable by other ssh processes, anywhere I'm logged in, thanks to "agent forwarding". This is what I'm used to, and is identical to how things work on my other workstation (which runs Linux.)

 

After upgrading to Sierra, my SSH keys' passphrases are somehow being "remembered", but not by ssh-agent. I am able to ssh from my laptop directly into any of the servers I manage, without being asked for a passphrase, but because the agent does not contain any keys (i.e. "ssh-add -l" returns "The agent has no identities."), I am not able to ssh from that server into another server, which also makes "scp" and "git" commands not work, until I go back to the laptop itself and run "ssh-add".

 

I've tried using "Keychain Access" to find and delete the item containing the passphrase, but none of the items in any of my keychain files (login, iCloud, System, or System Roots) contain "ssh" anywhere in their titles. I've also tried "ssh-add -K -D" and "ssh-add -K -d /Users/xxx/.ssh/id_rsa". Neither command appears to have any effect, they are not clearing wherever the passphrases are stored.

 

The output from "ssh -vvv server1" contains the following:

 

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /Users/xxx/.ssh/id_rsa

debug3: send_pubkey_test

debug3: send packet: type 50

debug2: we sent a publickey packet, wait for reply

debug3: receive packet: type 60

debug1: Server accepts key: pkalg ssh-rsa blen 279

debug2: input_userauth_pk_ok: fp SHA256:m59cRsLlMQHZk1KlO5fJNlaYBhCIyrE3eF4YaX/+q/A

debug3: sign_and_send_pubkey: RSA SHA256:m59cRsLlMQHZk1KlO5fJNlaYBhCIyrE3eF4YaX/+q/A

debug3: Search for item with query: {

    acct = "/Users/xxx/.ssh/id_rsa";

    agrp = "com.apple.ssh.passphrases";

    class = genp;

    labl = "SSH: /Users/xxx/.ssh/id_rsa";

    nleg = 1;

    "r_Data" = 1;

    svce = OpenSSH;

}

debug2: using passphrase from keychain

debug3: send packet: type 50

debug3: receive packet: type 52

debug1: Authentication succeeded (publickey).

Authenticated to server1 ([192.168.1.209]:22).

 

How can I make ssh NOT remember the passphrases for my keys?

Posted on Sep 26, 2016 7:29 AM

Close

Q: ssh remembering passphrases

  • All replies
  • Helpful answers

  • by John Simpson,

    John Simpson John Simpson Oct 3, 2016 6:01 AM in response to John Simpson
    Level 1 (41 points)
    Mac OS X
    Oct 3, 2016 6:01 AM in response to John Simpson

    Thanks to http://apple.stackexchange.com/questions/253779/macos-10-12-sierra-will-not-forg et-my-ssh-keyfile-passphrase I found that the passphrase is stored in ~/Library/Keychains/{UUID}/keychain-2.db, rather than in the keychain. This is an sqlite3 file, and the item containing the passphrases can be removed with the following query:


    $ sqlite3 ~/Library/Keychains/*/keychain-2.db

    sqlite> delete from genp where agrp='com.apple.ssh.passphrases' ;

    sqlite> .q

    $


    The problem is, the next ssh command I type asks for the passphrase, and stores it back in the same file again.

     

    How do I prevent ssh from storing my passphrases at all?

  • by Jeroen Vermeulen,

    Jeroen Vermeulen Jeroen Vermeulen Oct 4, 2016 4:27 AM in response to John Simpson
    Level 1 (4 points)
    Mac OS X
    Oct 4, 2016 4:27 AM in response to John Simpson

    I have the same problem.
    Maybe we can execute this in cron or a logout script as a temporary workaround?:

    /usr/bin/sqlite3 ~/Library/Keychains/*/keychain-2.db "delete from genp where agrp='com.apple.ssh.passphrases'"
  • by John Simpson,Solvedanswer

    John Simpson John Simpson Oct 13, 2016 4:21 PM in response to John Simpson
    Level 1 (41 points)
    Mac OS X
    Oct 13, 2016 4:21 PM in response to John Simpson

    I was able to find two options which, when used together in your "~/.ssh/config" file, will restore the previous (and what I consider to be the correct) behaviour:

     

    • UseKeychain No - Makes ssh NOT store the passphrases in the keychain (or whatever this sqlite3 file is... I find it rather strange that the items in this file don't show up in "Keychain Access". Maybe that's a bug in Keychain Access?)

    Also, note that this option is not documented in "man ssh_config" (where it should be.)

    • AddKeysToAgent Yes - Makes ssh automatically add they key (not its passphrase, but the key itself) to the ssh-agent process.

     

    To illustrate, I have the following added to the end of my ~/.ssh/config file:

     

    Host *

        UseKeychain     no

        AddKeysToAgent  yes

     

    And now, the first time I ssh into a server after rebooting the laptop, (1) it adds the key to the agent, and (2) it does NOT store the passphrase in the keychain, or in this other sqlite file.