Hi There,
Title says it all really - is there a way to force OSX to ask for a ssh passphrase each time it's accessed?
We haven't ticked the option to save passphrases into the keychain and require an extra level of security - is this possible?
Cheers
Ben
Or does it ask for the passphrase after each Mac restart or logout/login?
I suppose you could manually disable ssh-agent in launchd. Why would you want to do this?
etresoft wrote:
...Why would you want to do this?
Just didn't like the idea of open access to the root of our server without any kind of password. But I see now that it asks for the ssh key pasphrase after logout or restart.
Cheers
Disable root login over ssh on the server 🙂
man sshd_config
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument must be ``yes'',
``without-password'', ``forced-commands-only'', or ``no''. The default is ``yes''.
Local users on the server can still su or sudo if they have credentials for that.
'man ssh-agent' also has this nugget
-t life
Set a default value for the maximum lifetime of identities added to the agent. The lifetime
may be specified in seconds or in a time format specified in sshd_config(5). A lifetime speci-
fied for an identity with ssh-add(1) overrides this value. Without this option the default
maximum lifetime is forever.
I wonder if adding -t 0 to the args in the launchd job will set the timeout to nothing? Or maybe '-t 60' is enough to allow a slow connection to complete?
It is located in /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist you will want to unload the plist before you edit it.
sudo launchctl unload /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
edit the file, insert …
<string>-t</string>
<string>60</string>
…into the program arguments.
sudo launchctl load /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
Software updates may undo this, but I think it is how you achieve what you desire
@Etresoft, does his seem reasonable to you?
Let us know if it makes any difference!
I suppose so. But it would be better to deny any login as root except from the physical console. Require authorized users to sudo for root access like on OS X. Then you can go back to using ssh-agent as a convenience.
Original poster here - sorry guys, I wasn't clear in my third post.
I initially misunderstood the process and thought that after entering the passphrase once, OSX would never ask for it again.
Now that I understand OSX will ask for the passphrase after sleep, user logout or reboot, I'm happy.
Cheers
Ben
Hmm, it seems I was totally wrong - I was initially asked for my passphrase (I logged out/in) but now I'm never asked for it.
I tried your suggestion as well as stuff from here:http://tim.vanwerkhoven.org/post/2011/11/17/OSX-launchd-and-launchctl-issues
But whenever I try to unload the plist (as root or as a user) I see: "launchctl: Error unloading: org.openbsd.ssh-agent"
Will keep investigating but I'm pretty inexperienced with SSH so am not sure how it's all supposed to work - setting a timeout seems like a basic idea to me but there's very little info on it (unless I'm using the wrong search terms).
Apologies, the ssh-agent is run under the current user, so sudo is not required. I mistook the fact that it is stored in the system folder.
launchctl unload /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
That caused my ssh-agent to request the passphrase for a password protected ssh-key that was previously authorised.
Note: you can list loaded jobs to see the state within launchctl
launchctl list
shows the current user's jobs
Awesome Drew - that totally got it sorted!
OSX doesn't ask for the passphrase via the GUI (as per previously) which is not an issue but otherwise it's exactly what I'm after.
For anyone wondering, these are the steps that worked for me:
$ launchctl unload /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
Edit the .plist file (must be done using sudo, upi will be asked for your admin password):
$ sudo nano /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
Add the time strings to the programme arguments so it looks like:
…
<key>ProgramArguments</key>
<array>
<string>/usr/bin/ssh-agent</string>
<string>-l</string>
<string>-t</string>
<string>10</string>
</array>
…
$ launchctl load /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
I used a value of 10 which basically means it will always ask for the passphrase each time I connect to the server
Thanks heaps Drew, I've made my post the answer so it's super clear what to do incase anyone searches for this - hope you don't mind.
Cheers
Ben
No problem, I'm glad it's sorted 🙂
Have had to turn this off because it seems to break something with the keychain which stops third-party apps (like the Querious MySQL app) from authenticating via the key.
It just seems weird that if you don't tick to save the passphrase into your keychain, OSX saves and enters the passphrase automatically anyway?
cmscss wrote:
It just seems weird that if you don't tick to save the passphrase into your keychain, OSX saves and enters the passphrase automatically anyway?
No. That's just the way ssh-agent works. Perhaps if you could elaborate more on what you are trying to accomplish at a high level, we could provide better assistance.
etresoft wrote:
No. That's just the way ssh-agent works. Perhaps if you could elaborate more on what you are trying to accomplish at a high level, we could provide better assistance.
OK, I didn't realise this - everything we'd read (even on linux) indicated that if you didn't want to be asked for a passphrase each time, don't enter a passphrase. So I guess we assumed that if we entered a passphrase, we'd be asked for it?
From a high level, we'd just like OSX to ask for the passphrase each time it connects using the key.
We were able to achieve this for Terminal (with the time out strings) but it doesn't seem like other apps use (or understand) the plist because it only works in Terminal.
Does that make sense?
That advice from the Linux world concerns adding a passphrase to your private ssh key. That isn't normally done on Linux and the standard advice is to not include a passphrase because it is such a hassle to use ssh-agent. The OS X keychain is essentially an easy-to-use ssh agent. You can do the same thing on Linux, but you would have to enter your passphrase each time you started ssh-agent. The OS X keychain stores your passphrase so you only have to enter it once.
The only way to have what you describe would be to disable ssh-agent. You can do that but that gets us right back to where we started with your concern about "open access to the root of our server without any kind of password". That is a server problem, not an OS X problem. How does one get to the root of your server? If it involves anything less complicated than ssh > su admin > sudo /path/to/root/script then you are doing the server wrong. Only standard users should have access to your server. Those standard users may be able to su into a sudoer, if they know the password for said sudoer user. Only then can they act as root with the root password or an appropriately configured sudo.
I do wonder if you should disable ssh-agent and try creating another key for Querious usage.
You can restrict what specific keys can do on servers by entering options in the authorised_keys file.
http://www.wallix.org/2011/10/18/restricting-remote-commands-over-ssh/ & RTM 🙂
Would you be OK with a passwordless key for Querious that was limited to running sql only?
I do have to agree with etresoft, it does feel like you are chasing solutions to a problem created by the issue of having root access open to ssh.
How to force OSX to ask for ssh key passphrase each time?
