Hi There,
Title says it all really - is there a way to force OSX to ask for a ssh passphrase each time it's accessed?
We haven't ticked the option to save passphrases into the keychain and require an extra level of security - is this possible?
Cheers
Ben
Unfortunately, El Capitan has come along and broken this solution:
1) You can no longer unload ssh-agent:
# launchctl unload /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
/System/Library/LaunchAgents/org.openbsd.ssh-agent.plist: Operation not permitted while System Integrity Protection is engaged
2) You can't edit the org.openbsd.ssh-agent.plist even as root, also because of SIP, so no way to add a timeout value to the storing of the key.
3) You can't disable it from starting due to the above.
Only thing I've been able to do is set a cron job to run 'ssh-add -D' every few minutes so any key that gets added to ssh-agent gets removed a few minutes later so I'll have to password decrypt it again on next use.
If you want to edit SIP protected files don't you just boot into recovery mode, disable SIP, tweak the files and then re-enable SIP?
I don't have 10.11 running so I may be wrong, but it strikes me as a potential solution?
Look at the posts discussing crsutil for more info.
Ah; will research. Will that survive updates, etc.?
Changes to the *nix tools can survive some updates however I tend to read the release notes to see if they mention tools I may have tweaked.
Normally it is apparent after the update & things misbehave again🙂
How to force OSX to ask for ssh key passphrase each time?
