cmscss

Q: How to force OSX to ask for ssh key passphrase each time?

Hi There,

 

Title says it all really - is there a way to force OSX to ask for a ssh passphrase each time it's accessed?

 

We haven't ticked the option to save passphrases into the keychain and require an extra level of security - is this possible?

 

Cheers

 

Ben

Posted on Oct 5, 2014 2:52 PM

Close

Q: How to force OSX to ask for ssh key passphrase each time?

  • All replies
  • Helpful answers

Page 1 Next
  • by cmscss,

    cmscss cmscss Oct 5, 2014 3:00 PM in response to cmscss
    Level 1 (19 points)
    iBooks
    Oct 5, 2014 3:00 PM in response to cmscss

    Or does it ask for the passphrase after each Mac restart or logout/login?

  • by etresoft,

    etresoft etresoft Oct 5, 2014 4:19 PM in response to cmscss
    Level 7 (29,051 points)
    Oct 5, 2014 4:19 PM in response to cmscss

    I suppose you could manually disable ssh-agent in launchd. Why would you want to do this?

  • by cmscss,

    cmscss cmscss Oct 5, 2014 5:12 PM in response to etresoft
    Level 1 (19 points)
    iBooks
    Oct 5, 2014 5:12 PM in response to etresoft

    etresoft wrote:

    ...Why would you want to do this?

     

    Just didn't like the idea of open access to the root of our server without any kind of password. But I see now that it asks for the ssh key pasphrase after logout or restart.


    Cheers

  • by Drew Reece,Helpful

    Drew Reece Drew Reece Oct 6, 2014 5:07 PM in response to cmscss
    Level 5 (7,485 points)
    Notebooks
    Oct 6, 2014 5:07 PM in response to cmscss

    Disable root login over ssh on the server

     

    man sshd_config

     

         PermitRootLogin

                 Specifies whether root can log in using ssh(1).  The argument must be ``yes'',

                 ``without-password'', ``forced-commands-only'', or ``no''.  The default is ``yes''.

     

    Local users on the server can still su or sudo if they have credentials for that.

     

    'man ssh-agent' also has this nugget

    -t life

                 Set a default value for the maximum lifetime of identities added to the agent.  The lifetime

                 may be specified in seconds or in a time format specified in sshd_config(5).  A lifetime speci-

                 fied for an identity with ssh-add(1) overrides this value.  Without this option the default

                 maximum lifetime is forever.

     

    I wonder if adding -t 0 to the args in the launchd job will set the timeout to nothing? Or maybe '-t 60' is enough to allow a slow connection to complete?

    It is located in /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist you will want to unload the plist before you edit it.

     

    sudo launchctl unload  /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist

    edit the file, insert …

      <string>-t</string>

      <string>60</string>

    …into the program arguments.

    sudo launchctl load  /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist

     

    Software updates may undo this, but I think it is how you achieve what you desire 

     

    @Etresoft, does his seem reasonable to you?

     

    Let us know if it makes any difference!

  • by etresoft,

    etresoft etresoft Oct 6, 2014 5:59 PM in response to Drew Reece
    Level 7 (29,051 points)
    Oct 6, 2014 5:59 PM in response to Drew Reece

    I suppose so. But it would be better to deny any login as root except from the physical console. Require authorized users to sudo for root access like on OS X. Then you can go back to using ssh-agent as a convenience.

  • by cmscss,

    cmscss cmscss Oct 6, 2014 6:11 PM in response to etresoft
    Level 1 (19 points)
    iBooks
    Oct 6, 2014 6:11 PM in response to etresoft

    Original poster here - sorry guys, I wasn't clear in my third post.

     

    I initially misunderstood the process and thought that after entering the passphrase once, OSX would never ask for it again.

     

    Now that I understand OSX will ask for the passphrase after sleep, user logout or reboot, I'm happy.

     

    Cheers

     

    Ben

  • by cmscss,

    cmscss cmscss Oct 8, 2014 12:51 PM in response to cmscss
    Level 1 (19 points)
    iBooks
    Oct 8, 2014 12:51 PM in response to cmscss

    Hmm, it seems I was totally wrong - I was initially asked for my passphrase (I logged out/in) but now I'm never asked for it.

     

    I tried your suggestion as well as stuff from here: http://tim.vanwerkhoven.org/post/2011/11/17/OSX-launchd-and-launchctl-issues

     

    But whenever I try to unload the plist (as root or as a user) I see: "launchctl: Error unloading: org.openbsd.ssh-agent"

     

    Will keep investigating but I'm pretty inexperienced with SSH so am not sure how it's all supposed to work - setting a timeout seems like a basic idea to me but there's very little info on it (unless I'm using the wrong search terms).

  • by Drew Reece,Helpful

    Drew Reece Drew Reece Oct 8, 2014 2:59 PM in response to cmscss
    Level 5 (7,485 points)
    Notebooks
    Oct 8, 2014 2:59 PM in response to cmscss

    Apologies, the ssh-agent is run under the current user, so sudo is not required. I mistook the fact that it is stored in the system folder.

     

    launchctl unload /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist

     

    That caused my ssh-agent to request the passphrase for a password protected ssh-key that was previously authorised.

     

    Note: you can list loaded jobs to see the state within launchctl

    launchctl list

    shows the current user's jobs

  • by cmscss,Solvedanswer

    cmscss cmscss Oct 8, 2014 3:43 PM in response to Drew Reece
    Level 1 (19 points)
    iBooks
    Oct 8, 2014 3:43 PM in response to Drew Reece

    Awesome Drew - that totally got it sorted!

     

    OSX doesn't ask for the passphrase via the GUI (as per previously) which is not an issue but otherwise it's exactly what I'm after.

     

     

    For anyone wondering, these are the steps that worked for me:

    • Open Terminal
    • Unload the ssh-agent.plist file (don't copy $):
    $ launchctl unload /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
    • Edit the .plist file (must be done using sudo, upi will be asked for your admin password):
    $ sudo nano /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
    • Add the time strings to the programme arguments so it looks like:

    <key>ProgramArguments</key>
      <array>
        <string>/usr/bin/ssh-agent</string>
        <string>-l</string>
        <string>-t</string>
        <string>10</string>
      </array>
    • CTR + X then y enter to save the file
    • Load the the ssh-agent.plist file:
    $ launchctl load /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist

     

     

    I used a value of 10 which basically means it will always ask for the passphrase each time I connect to the server

     

    Thanks heaps Drew, I've made my post the answer so it's super clear what to do incase anyone searches for this - hope you don't mind.

     

    Cheers

     

    Ben

  • by Drew Reece,

    Drew Reece Drew Reece Oct 8, 2014 4:01 PM in response to cmscss
    Level 5 (7,485 points)
    Notebooks
    Oct 8, 2014 4:01 PM in response to cmscss

    No problem, I'm glad it's sorted

  • by cmscss,

    cmscss cmscss Oct 13, 2014 12:27 PM in response to Drew Reece
    Level 1 (19 points)
    iBooks
    Oct 13, 2014 12:27 PM in response to Drew Reece

    Have had to turn this off because it seems to break something with the keychain which stops third-party apps (like the Querious MySQL app) from authenticating via the key.

     

    It just seems weird that if you don't tick to save the passphrase into your keychain, OSX saves and enters the passphrase automatically anyway?

  • by etresoft,

    etresoft etresoft Oct 13, 2014 4:06 PM in response to cmscss
    Level 7 (29,051 points)
    Oct 13, 2014 4:06 PM in response to cmscss

    cmscss wrote:

     

    It just seems weird that if you don't tick to save the passphrase into your keychain, OSX saves and enters the passphrase automatically anyway?

    No. That's just the way ssh-agent works. Perhaps if you could elaborate more on what you are trying to accomplish at a high level, we could provide better assistance.

  • by cmscss,

    cmscss cmscss Oct 13, 2014 4:14 PM in response to etresoft
    Level 1 (19 points)
    iBooks
    Oct 13, 2014 4:14 PM in response to etresoft

    etresoft wrote:

    No. That's just the way ssh-agent works. Perhaps if you could elaborate more on what you are trying to accomplish at a high level, we could provide better assistance.

    OK, I didn't realise this - everything we'd read (even on linux) indicated that if you didn't want to be asked for a passphrase each time, don't enter a passphrase. So I guess we assumed that if we entered a passphrase, we'd be asked for it?

     

    From a high level, we'd just like OSX to ask for the passphrase each time it connects using the key.

     

    We were able to achieve this for Terminal (with the time out strings) but it doesn't seem like other apps use (or understand) the plist because it only works in Terminal.

     

    Does that make sense?

  • by etresoft,

    etresoft etresoft Oct 13, 2014 7:27 PM in response to cmscss
    Level 7 (29,051 points)
    Oct 13, 2014 7:27 PM in response to cmscss

    That advice from the Linux world concerns adding a passphrase to your private ssh key. That isn't normally done on Linux and the standard advice is to not include a passphrase because it is such a hassle to use ssh-agent. The OS X keychain is essentially an easy-to-use ssh agent. You can do the same thing on Linux, but you would have to enter your passphrase each time you started ssh-agent. The OS X keychain stores your passphrase so you only have to enter it once.

     

    The only way to have what you describe would be to disable ssh-agent. You can do that but that gets us right back to where we started with your concern about "open access to the root of our server without any kind of password". That is a server problem, not an OS X problem. How does one get to the root of your server? If it involves anything less complicated than ssh > su admin > sudo /path/to/root/script then you are doing the server wrong. Only standard users should have access to your server. Those standard users may be able to su into a sudoer, if they know the password for said sudoer user. Only then can they act as root with the root password or an appropriately configured sudo.

Page 1 Next