Force SSH Passphrase

Texas_Toast

macrumors 6502a
Original poster
Feb 6, 2016
849
69
Texas
I am using my personal MacBook to connect to a server at work using SSH.

I am also using public/private key authentication so no password needs to be entered. However, for extra security, I did add pass-phrase to the private key on my MacBook.

The problem is that the first time I SSH'ed into the server I got a pop-up window asking me for my pass-phrase, but after that I don't get the prompt, and I want to be prompted for it every time!!

Someone told me this is a caching issue on my MacBook.

Any ideas?
 

ocabj

macrumors 6502a
Jul 2, 2009
545
183
I believe ssh-agent is caching your private key passphrase locally. If you quit Terminal, iTerm, or whatever terminal application you use, *after* you ssh to a server using your private key (and entering your password), relaunch and ssh to that same server again and see if it prompts you again for the private key passphrase.

Note: ssh-agent is tied to OS X keychain, so if you save your private key passphrase to the keychain, you'll never get prompted for your private key passphrase as long as the keychain is unlocked.
 

Texas_Toast

macrumors 6502a
Original poster
Feb 6, 2016
849
69
Texas
I believe ssh-agent is caching your private key passphrase locally. If you quit Terminal, iTerm, or whatever terminal application you use, *after* you ssh to a server using your private key (and entering your password), relaunch and ssh to that same server again and see if it prompts you again for the private key passphrase.

Note: ssh-agent is tied to OS X keychain, so if you save your private key passphrase to the keychain, you'll never get prompted for your private key passphrase as long as the keychain is unlocked.
I just SSH'ed into the server and did get a pop-up asking for my private key passphrase - this is good.

However, when I quit out of Terminal, and tried it a second time, it did not ask for my private key passphrase, which to me, is bad. (I like the reassurance that it is asking everytime and that it is working everytime!)

I did not save things to my keychain.

It would seem that Terminal (or OS-X) is caching my passphrase until I reboot my laptop.

Can I change this to get the behavior I want?

I looked through Terminal Preferences but didn't see anything obvious.
 

ocabj

macrumors 6502a
Jul 2, 2009
545
183
Well, I just created a new public+private keypair with a passphrase and added the pub key to the authorized keys on one of my vps'es. It appears to be a Keychain issue.

I ssh'ed in, entered my passphrase and got in. I logged out and ssh'ed in again and no passphrase prompt. I locked the Keychain and ssh'ed back in and it asked for my passphrase.

So it appears Keychain is caching, even if you don't save your private key passphrase to the keychain. You might have to go through some manpages and figure out a mitigation for this.
[doublepost=1460643719][/doublepost]Quick follow up:

ssh-add -D will delete the cached passphrase session.

Code:
$ ssh-add -D
All identities removed.
 

Texas_Toast

macrumors 6502a
Original poster
Feb 6, 2016
849
69
Texas
Well, I just created a new public+private keypair with a passphrase and added the pub key to the authorized keys on one of my vps'es. It appears to be a Keychain issue.

I ssh'ed in, entered my passphrase and got in. I logged out and ssh'ed in again and no passphrase prompt. I locked the Keychain and ssh'ed back in and it asked for my passphrase.

So it appears Keychain is caching, even if you don't save your private key passphrase to the keychain. You might have to go through some manpages and figure out a mitigation for this.
[doublepost=1460643719][/doublepost]Quick follow up:

ssh-add -D will delete the cached passphrase session.

Code:
$ ssh-add -D
All identities removed.
Yep, that command temporarily fixed the problem.

Does anyone know how to fix this issue permanently so I don't have to type in that command every time I SSH in?
 

ocabj

macrumors 6502a
Jul 2, 2009
545
183
Read the manpages ss
Yep, that command temporarily fixed the problem.

Does anyone know how to fix this issue permanently so I don't have to type in that command every time I SSH in?
Did you look at the manpages for ssh-add and ssh-agent. Try the -t parameter and see if that works and add a corresponding line to your shell init script.
 

Texas_Toast

macrumors 6502a
Original poster
Feb 6, 2016
849
69
Texas
Read the manpages ss


Did you look at the manpages for ssh-add and ssh-agent. Try the -t parameter and see if that works and add a corresponding line to your shell init script.
I don't know how to look at the man pages.
 

mfram

macrumors 65816
Jan 23, 2010
1,056
138
San Diego, CA USA
The 'ssh' client uses the environment variable SSH_AUTH_SOCK to learn how to communicate with the SSH agent. If you unset that environment variable, then that shell can no longer use ssh-agent. So assuming you are using the default bash shell you can enter this command to turn off set environment variable.

Code:
unset SSH_AUTH_SOCK
After that, you will get prompted for the passphrase every time. If you wish to make it permanent, you can add it to your .bashrc file or something like that.
 

IHelpId10t5

macrumors 6502
Nov 28, 2014
477
314
Per mfram's suggestion, you can disable SSH's interaction with keychain but you need to consider if this is really desirable. Every time you type in that SSH passphrase on the keyboard is a chance for it to be intercepted by keylogger or other surveillance. Therefore, it may be equally secure to allow Keychain to store it for you yet lock down the security settings for your Mac and/or Keychain settings to increase overall security Mac instead.
 

Texas_Toast

macrumors 6502a
Original poster
Feb 6, 2016
849
69
Texas
Per mfram's suggestion, you can disable SSH's interaction with keychain but you need to consider if this is really desirable. Every time you type in that SSH passphrase on the keyboard is a chance for it to be intercepted by keylogger or other surveillance. Therefore, it may be equally secure to allow Keychain to store it for you yet lock down the security settings for your Mac and/or Keychain settings to increase overall security Mac instead.
From what I read, it sounds like when I SSH in, the passphrase for my private key gets stored by ssh-agent in memory.

Is that secure? Sounds like it would be very easy to hack.

I thought it was safer to memorize all passwords/passphrases versus storing them on your computer?

If I told OS-X to save my passphrase in my keychain, how could I ensure that someone doesn't get it?

My thinking was that, "You can't steal what is not stored"
 

IHelpId10t5

macrumors 6502
Nov 28, 2014
477
314
I'm not sure how ssh-agent handles the exchange of passphrases between keychain and SSH but I have some trust that some smart Apple engineers have taken care of doing it in a reasonably secure manner. I personally would think that a keylogger would be a larger threat and therefore typing your passphrase frequently would create a greater exposure. Realistically though, if someone has enough access to you Mac to steal both your private key and also has access to hack ssh-agent or scrape memory, you would already be toast. Maybe some others will weigh in on what they think the relative risks are.