Force SSH Passphrase

Discussion in 'Mac Basics and Help' started by Texas_Toast, Apr 13, 2016.

  1. Texas_Toast macrumors 6502a

    Texas_Toast

    Joined:
    Feb 6, 2016
    Location:
    Texas
    #1
    I am using my personal MacBook to connect to a server at work using SSH.

    I am also using public/private key authentication so no password needs to be entered. However, for extra security, I did add pass-phrase to the private key on my MacBook.

    The problem is that the first time I SSH'ed into the server I got a pop-up window asking me for my pass-phrase, but after that I don't get the prompt, and I want to be prompted for it every time!!

    Someone told me this is a caching issue on my MacBook.

    Any ideas?
     
  2. ocabj macrumors 6502a

    ocabj

    Joined:
    Jul 2, 2009
    #2
    I believe ssh-agent is caching your private key passphrase locally. If you quit Terminal, iTerm, or whatever terminal application you use, *after* you ssh to a server using your private key (and entering your password), relaunch and ssh to that same server again and see if it prompts you again for the private key passphrase.

    Note: ssh-agent is tied to OS X keychain, so if you save your private key passphrase to the keychain, you'll never get prompted for your private key passphrase as long as the keychain is unlocked.
     
  3. Texas_Toast thread starter macrumors 6502a

    Texas_Toast

    Joined:
    Feb 6, 2016
    Location:
    Texas
    #3
    I just SSH'ed into the server and did get a pop-up asking for my private key passphrase - this is good.

    However, when I quit out of Terminal, and tried it a second time, it did not ask for my private key passphrase, which to me, is bad. (I like the reassurance that it is asking everytime and that it is working everytime!)

    I did not save things to my keychain.

    It would seem that Terminal (or OS-X) is caching my passphrase until I reboot my laptop.

    Can I change this to get the behavior I want?

    I looked through Terminal Preferences but didn't see anything obvious.
     
  4. ocabj macrumors 6502a

    ocabj

    Joined:
    Jul 2, 2009
    #4
    Well, I just created a new public+private keypair with a passphrase and added the pub key to the authorized keys on one of my vps'es. It appears to be a Keychain issue.

    I ssh'ed in, entered my passphrase and got in. I logged out and ssh'ed in again and no passphrase prompt. I locked the Keychain and ssh'ed back in and it asked for my passphrase.

    So it appears Keychain is caching, even if you don't save your private key passphrase to the keychain. You might have to go through some manpages and figure out a mitigation for this.
    --- Post Merged, Apr 14, 2016 ---
    Quick follow up:

    ssh-add -D will delete the cached passphrase session.

    Code:
    $ ssh-add -D
    All identities removed.
     
  5. Texas_Toast thread starter macrumors 6502a

    Texas_Toast

    Joined:
    Feb 6, 2016
    Location:
    Texas
    #5
    Yep, that command temporarily fixed the problem.

    Does anyone know how to fix this issue permanently so I don't have to type in that command every time I SSH in?
     
  6. ocabj macrumors 6502a

    ocabj

    Joined:
    Jul 2, 2009
    #6
    Read the manpages ss
    Did you look at the manpages for ssh-add and ssh-agent. Try the -t parameter and see if that works and add a corresponding line to your shell init script.
     
  7. Texas_Toast thread starter macrumors 6502a

    Texas_Toast

    Joined:
    Feb 6, 2016
    Location:
    Texas
    #7
    I don't know how to look at the man pages.
     
  8. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #8
    In terminal:
    Code:
    man ssh-add
    or
    Code:
    man ssh-agent
     
  9. mfram macrumors 65816

    Joined:
    Jan 23, 2010
    Location:
    San Diego, CA USA
    #9
    The 'ssh' client uses the environment variable SSH_AUTH_SOCK to learn how to communicate with the SSH agent. If you unset that environment variable, then that shell can no longer use ssh-agent. So assuming you are using the default bash shell you can enter this command to turn off set environment variable.

    Code:
    unset SSH_AUTH_SOCK
    
    After that, you will get prompted for the passphrase every time. If you wish to make it permanent, you can add it to your .bashrc file or something like that.
     
  10. IHelpId10t5 macrumors 6502

    Joined:
    Nov 28, 2014
    #10
    Per mfram's suggestion, you can disable SSH's interaction with keychain but you need to consider if this is really desirable. Every time you type in that SSH passphrase on the keyboard is a chance for it to be intercepted by keylogger or other surveillance. Therefore, it may be equally secure to allow Keychain to store it for you yet lock down the security settings for your Mac and/or Keychain settings to increase overall security Mac instead.
     
  11. Texas_Toast thread starter macrumors 6502a

    Texas_Toast

    Joined:
    Feb 6, 2016
    Location:
    Texas
    #11
    From what I read, it sounds like when I SSH in, the passphrase for my private key gets stored by ssh-agent in memory.

    Is that secure? Sounds like it would be very easy to hack.

    I thought it was safer to memorize all passwords/passphrases versus storing them on your computer?

    If I told OS-X to save my passphrase in my keychain, how could I ensure that someone doesn't get it?

    My thinking was that, "You can't steal what is not stored"
     
  12. IHelpId10t5 macrumors 6502

    Joined:
    Nov 28, 2014
    #12
    I'm not sure how ssh-agent handles the exchange of passphrases between keychain and SSH but I have some trust that some smart Apple engineers have taken care of doing it in a reasonably secure manner. I personally would think that a keylogger would be a larger threat and therefore typing your passphrase frequently would create a greater exposure. Realistically though, if someone has enough access to you Mac to steal both your private key and also has access to hack ssh-agent or scrape memory, you would already be toast. Maybe some others will weigh in on what they think the relative risks are.
     

Share This Page