OpenSSH – How to Add Keys to Keychain After Installing OpenSSH 8.2 via Brew

homebrewkeychainssh

I installed openssh 8.2 via brew install openssh. I added the following to my .profile:

export SSH_AUTH_SOCK="~/.ssh/agent.$HOST.sock"
ssh-add -l 2>/dev/null >/dev/null
if [ $? -ge 2 ]; then
  ssh-agent -a "$SSH_AUTH_SOCK" >/dev/null
fi

And, then I have to do the following:

ssh-add ~/.ssh/id_ecdsa_sk
Enter passphrase for /Users/myuser/.ssh/id_ecdsa_sk:
Identity added: /Users/myuser/.ssh/id_ecdsa_sk

even though I have the following in my ~/.ssh/config:

Host *
    IgnoreUnknown UseKeychain
    UseKeychain yes
    AddKeysToAgent yes
    IdentityFile ~/.ssh/id_ecdsa_sk

(I had to add the IgnoreUnknown bit, because the install from brew installs a version that breaks the UseKeychain bit.) But now: How do I wire it up so it adds the key to my keychain?

Best Answer

Keychain integration is a feature added by Apple that is not in the standard release of OpenSSH. As you have now installed the standard OpenSSH release from HomeBrew, you won't have this functionality anymore. You have discovered this as the UseKeychain option now gives configuration errors - adding the IgnoreUnknown configuration only makes the error message go away, it won't actually bring back any functionality.

In order to get Keychain integration, you will want to uninstall the HomeBrew version of OpenSSH and use the version supplied by Apple.

The version in HomeBrew will not for the foreseeable future have Keychain integration - it's not that they can't make it work at all, but rather that they have found the implementation that was made to be too big a risk for the project, as it's a big change that doesn't come from the OpenSSH project itself. You can read about that discussion here.

If you look at the link, you'll see that you can still download the old patch, and try that out if you like. However, as it is no longer maintained, it is a security risk.

Similarly you can download a third party mod to add Keychain support here. However that hasn't been updated since 2017 it seems, and as such would also be a security risk.

Related Solutions

How to configure and use multiple ssh RSA keys with Keychain help

ssh-agent can do this: use ssh-add -K path/to/key to store the passphrase for the key in your Keychain. Whenever you do something requiring that key you won't be prompted for your password, provided the Keychain is unlocked.

This article gives more information, as does this related ServerFault question.

Mac – Need help understanding script running at startup? “osascript -e ‘tell app \”ARDAgent\“ to do shell script \”say quack\“’”

It seems your Mac has been compromised (at the time of your writing) in order to mine bitcoins (./bitcoin-qt.app) probably by using ARDAgent exploit or similar. The posted commands are quite advanced, however plenty of them are copy&paste commands which indicates some pseudo-hacker (with actually little knowledge) who is trying to install trojan on your system.

Find the explanation for history commands below:

1: It removing files from Trash. Maybe clearing some evidence after downloading something.
2-12: Accessing Downloads folder with a bit of trouble. Half of these commands are mis-typed, so maybe the person was in hurry or stressed out.
13-14: Finding all files which belong to an unknown user (for unknown reason).
15-20: Struggling to access your passwords in KeyChains, but most of the commands are mis-typed. This indicates very little knowledge how to use the basic shell commands. It seems he tries to access folders such as /Library/LaunchAgents, /Library/Automator, /Library/Keychains, but fails.
21: There is no command sha.
22-23: Struggling to see your processes.
24-29: Struggling to check all the system users, however present shell prompt in 25-27 indicates that these commands were copy and pasted from some hack tutorial.
34-39: Checking network configuration.
41: Disabling auto updates for Google apps.
40, 45: Log-in to remote host.
47: Checking your non-Apple kernel extensions.
48-49: Checking your non-Apple loaded jobs. Repeating the same command without sudo could indicate that the user didn't have root access.
51: Checking startup items.
57: Disabling remote desktop agent. Why?
71-72: How he managed to install htop using apt-get on OS X? I don't know.
73-164: Checking processes, what's listening on port 80 and the history of last logins.
165-225: Checking your users and files again.
228: Indicates the person is from Windows background, as the parameter /i is invalid.
226-237: Repeating the same things over and over again.
238-480: Clearing DNS caches.
241-259: Running Bitcoin client.
263-264: Pasting code into wrong window. It should be actually:
```
osascript -e 'tell app "ARDAgent" to do shell script "say quack"'
```
Which basically on successful run of ARDAgent would run command say quack which basically say loudly "quack". This suppose to test if ARDAgent is vulnerable to the attacks, but testing by using Speech Synthesis it's the worse what hacker can do, because the user will hear that and figure it out that something is wrong.
265: Testing if check_afp is vulnerable by having SUID flag.

Your action were correct by disabling SUID for ARDAgent. When you run Disk Utility and Repair Permission, it will automatically restore the right permissions (including ARDAgent), unless it has been modified. The other thing it to keep your system up-to-date and monitor logs and history more frequently.

Best Answer

Related Solutions

How to configure and use multiple ssh RSA keys with Keychain help

Mac – Need help understanding script running at startup? “osascript -e ‘tell app \”ARDAgent\“ to do shell script \”say quack\“’”

Related Question