ssh remembering passphrases

Question

Level 1

59 points

ssh remembering passphrases

Before upgrading to Sierra, the first time I ran an ssh command each day, it would ask for my passphrase and store the key, making it usable by other ssh processes, anywhere I'm logged in, thanks to "agent forwarding". This is what I'm used to, and is identical to how things work on my other workstation (which runs Linux.)

After upgrading to Sierra, my SSH keys' passphrases are somehow being "remembered", but not by ssh-agent. I am able to ssh from my laptop directly into any of the servers I manage, without being asked for a passphrase, but because the agent does not contain any keys (i.e. "ssh-add -l" returns "The agent has no identities."), I am not able to ssh from that server into another server, which also makes "scp" and "git" commands not work, until I go back to the laptop itself and run "ssh-add".

I've tried using "Keychain Access" to find and delete the item containing the passphrase, but none of the items in any of my keychain files (login, iCloud, System, or System Roots) contain "ssh" anywhere in their titles. I've also tried "ssh-add -K -D" and "ssh-add -K -d /Users/xxx/.ssh/id_rsa". Neither command appears to have any effect, they are not clearing wherever the passphrases are stored.

The output from "ssh -vvv server1" contains the following:

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /Users/xxx/.ssh/id_rsa

debug3: send_pubkey_test

debug3: send packet: type 50

debug2: we sent a publickey packet, wait for reply

debug3: receive packet: type 60

debug1: Server accepts key: pkalg ssh-rsa blen 279

debug2: input_userauth_pk_ok: fp SHA256:m59cRsLlMQHZk1KlO5fJNlaYBhCIyrE3eF4YaX/+q/A

debug3: sign_and_send_pubkey: RSA SHA256:m59cRsLlMQHZk1KlO5fJNlaYBhCIyrE3eF4YaX/+q/A

debug3: Search for item with query: {

acct = "/Users/xxx/.ssh/id_rsa";

agrp = "com.apple.ssh.passphrases";

class = genp;

labl = "SSH: /Users/xxx/.ssh/id_rsa";

nleg = 1;

"r_Data" = 1;

svce = OpenSSH;

}

debug2: using passphrase from keychain

debug3: send packet: type 50

debug3: receive packet: type 52

debug1: Authentication succeeded (publickey).

Authenticated to server1 ([192.168.1.209]:22).

How can I make ssh NOT remember the passphrases for my keys?

Posted on Sep 26, 2016 7:29 AM

Reply

Answer 1

Top-ranking reply

John Simpson Author

Level 1

59 points

Oct 3, 2016 6:01 AM in response to John Simpson

Thanks to http://apple.stackexchange.com/questions/253779/macos-10-12-sierra-will-not-forg et-my-ssh-keyfile-passphrase I found that the passphrase is stored in ~/Library/Keychains/{UUID}/keychain-2.db, rather than in the keychain. This is an sqlite3 file, and the item containing the passphrases can be removed with the following query:

$ sqlite3 ~/Library/Keychains/*/keychain-2.db

sqlite> delete from genp where agrp='com.apple.ssh.passphrases' ;

sqlite> .q

$

The problem is, the next ssh command I type asks for the passphrase, and stores it back in the same file again.

How do I prevent ssh from storing my passphrases at all?

Reply

Answer 2

Oct 4, 2016 4:27 AM in response to John Simpson

I have the same problem.
Maybe we can execute this in cron or a logout script as a temporary workaround?:

/usr/bin/sqlite3 ~/Library/Keychains/*/keychain-2.db "delete from genp where agrp='com.apple.ssh.passphrases'"

Reply

Answer 3

John Simpson Author

Level 1

59 points

Oct 13, 2016 4:21 PM in response to John Simpson

I was able to find two options which, when used together in your "~/.ssh/config" file, will restore the previous (and what I consider to be the correct) behaviour:

UseKeychain No - Makes ssh NOT store the passphrases in the keychain (or whatever this sqlite3 file is... I find it rather strange that the items in this file don't show up in "Keychain Access". Maybe that's a bug in Keychain Access?)

Also, note that this option is not documented in "man ssh_config" (where it should be.)

AddKeysToAgent Yes - Makes ssh automatically add they key (not its passphrase, but the key itself) to the ssh-agent process.

To illustrate, I have the following added to the end of my ~/.ssh/config file:

Host *

UseKeychain no

AddKeysToAgent yes

And now, the first time I ssh into a server after rebooting the laptop, (1) it adds the key to the agent, and (2) it does NOT store the passphrase in the keychain, or in this other sqlite file.

Reply

Answer 4

Nov 5, 2016 4:24 PM in response to John Simpson

Some additional issue I found that is related to this. When UseKeyChain is still yes (the default) ssh will hang in the following scenario

- While being logged in (GUI) as user 'foo' open a Terminal.app window

- Use the 'login bar' command in that window to login to user 'bar' in a shell

- Try to use ssh as user 'bar'. This hangs on the keychain behaviour

Hanging does not occur in pure tty logins, e.g. ssh into a system and then out of it works. Apparently, when the GUI is not present in the process group or something to that effect, the UseKeyChain setting is ignored.

Reply