Your Mac seems to remember your SSH private key pass phrase?

Posted on

I’ve found a very annoying characteristic of OS X; if you use key-based ssh authentication to connect out to other systems, launchd will start ssh-agent and it will store your ssh key in memory until you log off, kill it, or remove it from the agent.  This is insecure; many people use laptops and never shut them down, they just close the lid, recharge, use, recharge, etc. so the key remains in memory protected only by whatever login credentials the laptop has to the screen saver.

So, for example, I start up my preferred terminal emulator iTerm, ssh somewhere, give my pass phrase, now, even if I quit iTerm, or start terminal and ssh somewhere, or start SecureCRT and ssh somewhere, my key is still in memory.  If someone gets my laptop and figures out how to log in, now they can ssh to wherever I can ssh to.  If I get a virus or malware, it can ssh anywhere as me.  You get the picture.

Now, the really odd part is that ssh-agent supports the setting of a timeout value after which the key would be deleted.  They could have easily let this be configurable, or set a reasonable default of who knows, 5, 10, 60 minutes, but no, we’ll just leave it set to indefinite.

There are a few solutions to this:

  • If you’re diligent with following processes, you can remove your key from memory when you’re done with it, and then the next ssh session needing that key will prompt you for a password again to unlock the key.  You can see keys currently stored by running “ssh-add -L”You remove keys in one of two says.  “ssh-add -D” will remove all stored keys.  If you want to only remove a specific one, oddly, you do so by specifying the public key file name, so it would be something like “ssh-add -d ~/.ssh/identity.pub”
  • You can “killall ssh-agent” to just kill the thing; less graceful so may as well just do the previous: ssh-add -D
  • If you’re worried you may forget the above, you can set a cron job to run “ssh-add -D” every period of time that would make sense for you.
  • Log off between sessions.d
  • If you’re on a version of OS X older than 10.11.5, aka El Capitan, you can edit the following file as root; if not, see below:/System/Library/LaunchAgents/org.openbsd.ssh-agent.plistand make this one section of the file: 
     <array>
<string>/usr/bin/ssh-agent</string>
<string>-l</string>
</array>

    look like this:

     <array>
<string>/usr/bin/ssh-agent</string>
<string>-l</string>
<string>-t 300</string>
</array>

    Just change the 300 to the number of seconds you’d like to have elapse before the key is removed, then unload and reload ssh-agent, or restart the computer.

  • If you’re on El Capitan, thanks to the new System Integrity Protection, that file is no longer editable and you also can’t even unload ssh-agent.  There is a drawn our process on how to get edit access to that file, which requires reboots to turn SIP off and back on.  That is documented here:http://stackoverflow.com/questions/30768087/restricted-folder-files-in-os-x-el-capitan
  • Other person having same issue with changing this setting on El Capitan: http://apple.stackexchange.com/questions/213364/customize-system-launchagent-arguments-in-el-capitan
  • So if you’re on El Capitan, use the cron job option to just continuously delete stored keys.

Leave a Reply

Your email address will not be published. Required fields are marked *