Mac OS X makes handling SSH keys easier


I discovered something this Sunday morning that will make my day, week and month 🙂

If you don’t know much about ssh-agent or if you’re looking for a tutorial about using ssh public key authentication or ssh-agent, read one of the excellent articles linked from here before to continue here.

On OSX, Apple made it much easier to manage your SSH keys and to work with SSH, by adding two welcome improvements

The first improvement alleviate user’s need to manually start ssh-agent for every session.  launchd(8) will also makes sure ssh-agent is automatically restarted in case of crash.

Launchd configuration file is here:

hostname:~ user$ cat /System//Library/LaunchAgents/org.openbsd.ssh-agent.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>org.openbsd.ssh-agent</string>
	<key>ProgramArguments</key>
	<array>
		<string>/usr/bin/ssh-agent</string>
		<string>-l</string>
	</array>
	<key>ServiceIPC</key>
	<true/>
	<key>Sockets</key>
	<dict>
		<key>Listeners</key>
		<dict>
			<key>SecureSocketWithKey</key>
			<string>SSH_AUTH_SOCK</string>
		</dict>
	</dict>
        <key>EnableTransactions</key>
        <true/>
</dict>
</plist>

But the best part is the second improvement : instead of storing your keys in .pem files in your  ~/.ssh directory, you can tell ssh-agent to store your keys in the more secured KeyChain trusted store, as show on the picture below.

keychain

Apple silently added a -K option to ssh-add command to instruct ssh-add to store your SSH key in KeyChain in addition to loading the key in memory.  ssh-agent will search for keys in their usual location on disk but also in Keychain.

What are the benefits of this?

There is no more need to explicitly call ssh-add when your session start, like you used to do in your .profile or .bashrc file. LaunchD will load ssh-agent and will instruct it to load keys referenced in your KeyChain. Note that the .pem file is not stored into KeyChain, you can not delete these from your file system.

Finally, because Keychain might synchronise across your machines through iCloud, your keys’ password are now available automatically on all your machines (provided you’re willing to keep a copy of your keys in iCloud – but that’s a different story)

Enjoy!

, , , , ,

  1. No comments yet.
(will not be published)