Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Force SSH Passphrase

Ambrosia7177

Ambrosia7177

macrumors 68020
Original poster
Feb 6, 2016
2,078
396
I am using my personal MacBook to connect to a server at work using SSH.

I am also using public/private key authentication so no password needs to be entered. However, for extra security, I did add pass-phrase to the private key on my MacBook.

The problem is that the first time I SSH'ed into the server I got a pop-up window asking me for my pass-phrase, but after that I don't get the prompt, and I want to be prompted for it every time!!

Someone told me this is a caching issue on my MacBook.

Any ideas?
 
I believe ssh-agent is caching your private key passphrase locally. If you quit Terminal, iTerm, or whatever terminal application you use, *after* you ssh to a server using your private key (and entering your password), relaunch and ssh to that same server again and see if it prompts you again for the private key passphrase.

Note: ssh-agent is tied to OS X keychain, so if you save your private key passphrase to the keychain, you'll never get prompted for your private key passphrase as long as the keychain is unlocked.
 
ocabj said:
I believe ssh-agent is caching your private key passphrase locally. If you quit Terminal, iTerm, or whatever terminal application you use, *after* you ssh to a server using your private key (and entering your password), relaunch and ssh to that same server again and see if it prompts you again for the private key passphrase.

Note: ssh-agent is tied to OS X keychain, so if you save your private key passphrase to the keychain, you'll never get prompted for your private key passphrase as long as the keychain is unlocked.
Click to expand...

I just SSH'ed into the server and did get a pop-up asking for my private key passphrase - this is good.

However, when I quit out of Terminal, and tried it a second time, it did not ask for my private key passphrase, which to me, is bad. (I like the reassurance that it is asking everytime and that it is working everytime!)

I did not save things to my keychain.

It would seem that Terminal (or OS-X) is caching my passphrase until I reboot my laptop.

Can I change this to get the behavior I want?

I looked through Terminal Preferences but didn't see anything obvious.
 
Well, I just created a new public+private keypair with a passphrase and added the pub key to the authorized keys on one of my vps'es. It appears to be a Keychain issue.

I ssh'ed in, entered my passphrase and got in. I logged out and ssh'ed in again and no passphrase prompt. I locked the Keychain and ssh'ed back in and it asked for my passphrase.

So it appears Keychain is caching, even if you don't save your private key passphrase to the keychain. You might have to go through some manpages and figure out a mitigation for this.
[doublepost=1460643719][/doublepost]Quick follow up:

ssh-add -D will delete the cached passphrase session.

Code: 
$ ssh-add -D
All identities removed.
 
ocabj said:
Well, I just created a new public+private keypair with a passphrase and added the pub key to the authorized keys on one of my vps'es. It appears to be a Keychain issue.

I ssh'ed in, entered my passphrase and got in. I logged out and ssh'ed in again and no passphrase prompt. I locked the Keychain and ssh'ed back in and it asked for my passphrase.

So it appears Keychain is caching, even if you don't save your private key passphrase to the keychain. You might have to go through some manpages and figure out a mitigation for this.
[doublepost=1460643719][/doublepost]Quick follow up:

ssh-add -D will delete the cached passphrase session.

Code: 
$ ssh-add -D
All identities removed.
Click to expand...

Yep, that command temporarily fixed the problem.

Does anyone know how to fix this issue permanently so I don't have to type in that command every time I SSH in?
 
Read the manpages ss
Texas_Toast said:
Yep, that command temporarily fixed the problem.

Does anyone know how to fix this issue permanently so I don't have to type in that command every time I SSH in?
Click to expand...

Did you look at the manpages for ssh-add and ssh-agent. Try the -t parameter and see if that works and add a corresponding line to your shell init script.
 
ocabj said:
Read the manpages ss


Did you look at the manpages for ssh-add and ssh-agent. Try the -t parameter and see if that works and add a corresponding line to your shell init script.
Click to expand...

I don't know how to look at the man pages.
 
The 'ssh' client uses the environment variable SSH_AUTH_SOCK to learn how to communicate with the SSH agent. If you unset that environment variable, then that shell can no longer use ssh-agent. So assuming you are using the default bash shell you can enter this command to turn off set environment variable.

Code: 
unset SSH_AUTH_SOCK

After that, you will get prompted for the passphrase every time. If you wish to make it permanent, you can add it to your .bashrc file or something like that.
 
Per mfram's suggestion, you can disable SSH's interaction with keychain but you need to consider if this is really desirable. Every time you type in that SSH passphrase on the keyboard is a chance for it to be intercepted by keylogger or other surveillance. Therefore, it may be equally secure to allow Keychain to store it for you yet lock down the security settings for your Mac and/or Keychain settings to increase overall security Mac instead.
 
IHelpId10t5 said:
Per mfram's suggestion, you can disable SSH's interaction with keychain but you need to consider if this is really desirable. Every time you type in that SSH passphrase on the keyboard is a chance for it to be intercepted by keylogger or other surveillance. Therefore, it may be equally secure to allow Keychain to store it for you yet lock down the security settings for your Mac and/or Keychain settings to increase overall security Mac instead.
Click to expand...

From what I read, it sounds like when I SSH in, the passphrase for my private key gets stored by ssh-agent in memory.

Is that secure? Sounds like it would be very easy to hack.

I thought it was safer to memorize all passwords/passphrases versus storing them on your computer?

If I told OS-X to save my passphrase in my keychain, how could I ensure that someone doesn't get it?

My thinking was that, "You can't steal what is not stored"
 
I'm not sure how ssh-agent handles the exchange of passphrases between keychain and SSH but I have some trust that some smart Apple engineers have taken care of doing it in a reasonably secure manner. I personally would think that a keylogger would be a larger threat and therefore typing your passphrase frequently would create a greater exposure. Realistically though, if someone has enough access to you Mac to steal both your private key and also has access to hack ssh-agent or scrape memory, you would already be toast. Maybe some others will weigh in on what they think the relative risks are.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back