Force ask for ssh key passphrase

I've been working on this as well. Apple recently dropped most of OpenSSL and has implemented a lot of it themselves. That is likely why you are getting the error when trying to unload the agent. I'm assuming you could force the ssh-agent to unload but it would require hacking your system security settings.

In terms of the SSH passphrase, I believe what is happening is that OS X is saving your passphrase somewhere. I think it might be in the Keychain, but I haven't been able to figure it out. I deleted all of the passwords in my keychain that had "RSA" in the names and somehow they are magically being recreated.

However, I did find a command that will remove the passphrase form the keychain. Run this:

$ ssh-add -Kd ~/.ssh/id_rsa

This removes the key from the ssh-agent and also removes the passphrase from the keychain. You can add the key back to the agent and NOT store the passphrase in the keychain using this command:

$ ssh-add ~/.ssh/id_rsa

You can also run this command to add the key to the agent and store the passphrase in the keychain:

$ ssh-add -K ~/.ssh/id_rsa

Hope that helps.

-- Brian

unixben66 wrote:

Is there any other way to force ssh to ask for a passphrase every time as i think it is very insecure to have a private key on my mac if not.

The file is as secure as your user account…

I believe Brian is correct, the password is in the keychain saved in an encrypted form. Your user account password can decrypt that by default, so it really depends on how secure that password is. If the Mac is found the ssh key can only be used if the user can login, decrypt the keychain or has the ssh passphrase. Use a good password on your account and/ or use FileVault to add even better security.

That error just means your key is in a different file. The commands I gave you are just examples if you are using the standard RSA key location. Just figure out the path to your private key file and replace ~/.ssh/id_rsa with you path.

Read the fine manual…

https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPag es/man1/ssh-add.1.html

or man ssh-add…

-d Instead of adding identities, removes identities from the agent. If ssh-add has been run with-

out arguments, the keys for the default identities and their corresponding certificates will be

removed. Otherwise, the argument list will be interpreted as a list of paths to public key

files to specify keys and certificates to be removed from the agent. If no public key is found

at a given path, ssh-add will append .pub and retry.

Notice how it refers to public keys, aren't you providing a private one? Try again with id_rsa.pub or remove the argument & it will search for the default ones, which yours seems to be.

That's definitely the command telling you that the file doesn't exist. Here's what I typed and it worked fine for me:

bpontarelli@Brians-MacBook-Pro ~/d/i/c/cleanspeak-filter[master:]> ssh-add -Kd ~/.ssh/id_rsa

Identity removed: /Users/bpontarelli/.ssh/id_rsa (bpontarelli@Brians-iMac.local)

Here's how I add it back:

bpontarelli@Brians-MacBook-Pro ~/d/i/c/cleanspeak-filter[master:]> ssh-add -K ~/.ssh/id_rsa

Enter passphrase for /Users/bpontarelli/.ssh/id_rsa:

Identity added: /Users/bpontarelli/.ssh/id_rsa (/Users/bpontarelli/.ssh/id_rsa)

The ssh-add command works on private keys because those are what are stored in the SSH agent. However, it will also use the public keys for some options. The -d option can either take a public key or a private key. If it is a private key, the command assumes that the public key has the same name plus the .pub extension.

You are correct though, if you leave out the argument, it will use the default keys, but those are named ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub, which is the same as supplying either of those paths to the -d option. Though, if you are using DSA, ECDSA or ED25519, those will have different file names. RSA is generally what most people use for their default keys though.

unixben66 wrote:

This dosent appear to be anything to do with permissions, but just going to post this here to prove and rule it out.

Um, shouldn't you have a public file next to the private one?

I just moved the public key as a test (when the agent already had it added)…

$ ssh-add -d

Bad key file /Users/user1/.ssh/id_rsa

Move it back & it works.

Post a bug report if you really want but this is exactly the same on 10.9.5. I'm not convinced this is part of Apples 'anti-GPL migration' as it appears OpenSSL may be under the Apache licence. In all honesty licenses bore me & I neither have the time or inclination to read up on them so perhaps you know more than me.

Re-read the manual -d only lists 'public key' I doubt it will work without one.

If you want to get brutal simply use -D, it works with only a private key, it is unclear if that removes the password from the keychain when used with -k (I don't want to lose my keychain based password).

Hello Ben,

Your passphrase is automatically stored in the keychain. You can turn this off by adding the following line to your ~/.ssh/config file:

UseKeychain no

See "man ssh_config" for additional options. Apparently the man page is wrong and this is a bug. See https://openradar.appspot.com/28394826

You should then probably remove any existing passphrase in your keychain.

OpenSSL and OpenSSH are two different technologies. OpenSSL is a lower-level, general-purpose security and encryption library. OpenSSH is strictly about SSH connections. Neither is related to the GPL issues. Although OpenSSL is ubiquitous in the Linux community, it has historically been under-funded and under-developed. After the recent "heartbleed" exploit, OpenSSL gained more funding and was able to triple its count of full-time developers - to a total of 3 people. Apple's decision to implement its own security library was a good one. If everyone uses the same library, then everyone is at risk for the same bugs. Apple still recommends that developers use OpenSSL, in addition to its own security libraries, to further enhance the security of apps. By comparison, Apple stays very close to the mainline OpenSSH libraries and Sierra improves this significantly.

Hello again Ben,

I don't think ssh-agent is the same as the Keychain. Conceptually they serve the same purpose on macOS, but they aren't the same. You could test this by trying to run the real ssh-agent with the Keychain option disabled and see if ssh-agent works as it should without the keychain.

That isn't quite right about the SQLite database. That SQLite database is the keychain. It is just that Apple appears to create some entries for its own use only. So my advice above regarding removing the passphrase from the keychain will not work, because you don't have access to it. I don't recommend using that SQL option because you don't know what other tables may be linked to that row. You could corrupt your keychain doing that. I'm afraid this is pretty much the new normal for Apple.

I guess we should write new bug reports on this specific issue. In El Capitan and before, OS X would add a readable entry to your keychain like "SSH: /Users/jdaniel/.ssh/id_dsa". It was pretty easy to see and delete if necessary. Now it is hidden. I tried to hack it to get it to appear in the user interface but failed.