cmscss
Level 1 (20 points)
iBooks

Q: How to force OSX to ask for ssh key passphrase each time?

Hi There,

 

Title says it all really - is there a way to force OSX to ask for a ssh passphrase each time it's accessed?

 

We haven't ticked the option to save passphrases into the keychain and require an extra level of security - is this possible?

 

Cheers

 

Ben

Posted on Oct 5, 2014 2:52 PM

by cmscss,Solvedanswer
cmscss cmscss
Level 1 (20 points)
iBooks
A:

Awesome Drew - that totally got it sorted!

 

OSX doesn't ask for the passphrase via the GUI (as per previously) which is not an issue but otherwise it's exactly what I'm after.

 

 

For anyone wondering, these are the steps that worked for me:

  • Open Terminal
  • Unload the ssh-agent.plist file (don't copy $):
$ launchctl unload /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
  • Edit the .plist file (must be done using sudo, upi will be asked for your admin password):
$ sudo nano /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
  • Add the time strings to the programme arguments so it looks like:

<key>ProgramArguments</key>
  <array>
    <string>/usr/bin/ssh-agent</string>
    <string>-l</string>
    <string>-t</string>
    <string>10</string>
  </array>
  • CTR + X then y enter to save the file
  • Load the the ssh-agent.plist file:
$ launchctl load /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist

 

 

I used a value of 10 which basically means it will always ask for the passphrase each time I connect to the server

 

Thanks heaps Drew, I've made my post the answer so it's super clear what to do incase anyone searches for this - hope you don't mind.

 

Cheers

 

Ben

Posted on Oct 8, 2014 3:43 PM

Close
cmscss

Q: How to force OSX to ask for ssh key passphrase each time?

  • All replies
  • Helpful answers

Previous Page 2

  • by Drew Reece,

    Drew Reece Drew Reece Oct 13, 2014 10:04 PM in response to cmscss
    Level 5 (7,490 points)
    Notebooks
    Oct 13, 2014 10:04 PM in response to cmscss

    I do wonder if you should disable ssh-agent and try creating another key for Querious usage.

     

    You can restrict what specific keys can do on servers by entering options in the authorised_keys file.

    http://www.wallix.org/2011/10/18/restricting-remote-commands-over-ssh/ & RTM

    Would you be OK with a passwordless key for Querious that was limited to running sql only?

     

    I do have to agree with etresoft, it does feel like you are chasing solutions to a problem created by the issue of having root access open to ssh.

  • by ispcolohost,

    ispcolohost ispcolohost Sep 7, 2016 4:23 PM in response to cmscss
    Level 1 (9 points)
    Mac OS X
    Sep 7, 2016 4:23 PM in response to cmscss

    Unfortunately, El Capitan has come along and broken this solution:

     

    1) You can no longer unload ssh-agent: 

    # launchctl unload /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist

    /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist: Operation not permitted while System Integrity Protection is engaged
    2) You can't edit the org.openbsd.ssh-agent.plist even as root, also because of SIP, so no way to add a timeout value to the storing of the key.

    3) You can't disable it from starting due to the above.

     

    Only thing I've been able to do is set a cron job to run 'ssh-add -D' every few minutes so any key that gets added to ssh-agent gets removed a few minutes later so I'll have to password decrypt it again on next use.

  • by Drew Reece,

    Drew Reece Drew Reece Sep 7, 2016 4:29 PM in response to ispcolohost
    Level 5 (7,490 points)
    Notebooks
    Sep 7, 2016 4:29 PM in response to ispcolohost

    If you want to edit SIP protected files don't you just boot into recovery mode, disable SIP, tweak the files and then re-enable SIP?

     

    I don't have 10.11 running so I may be wrong, but it strikes me as a potential solution?

     

    Look at the posts discussing crsutil for more info.

  • by ispcolohost,

    ispcolohost ispcolohost Sep 7, 2016 4:30 PM in response to Drew Reece
    Level 1 (9 points)
    Mac OS X
    Sep 7, 2016 4:30 PM in response to Drew Reece

    Ah; will research.  Will that survive updates, etc.?

  • by Drew Reece,

    Drew Reece Drew Reece Sep 7, 2016 5:05 PM in response to ispcolohost
    Level 5 (7,490 points)
    Notebooks
    Sep 7, 2016 5:05 PM in response to ispcolohost

    Changes to the *nix tools can survive some updates however I tend to read the release notes to see if they mention tools I may have tweaked.

    Normally it is apparent after the update & things misbehave again

Previous Page 2