I recently created an SSH public/private keypair on my Mac OSX Yosemite system and for this use-case, I wanted to encrypt the private key with a passphrase.
However, the first time I attempted to use this key, I was surprised to see a GUI component overlay itself over my terminal … that is the first time I had ever seen (or heard of) keychain.
I want nothing to do with this. I want the passphrase to exist nowhere but my own head – not even in an encrypted or keychain-vaulted safe space.
So I learned about the ssh config option 'AskPassGUI no' and that seems to have solved my problem. I use that ssh key and keychain seems to not be invoked and there are no GUI pop-ups, etc.
But I'm suspicious … I never liked that little Unicode key character that the Mac terminal inserts into the passphrase dialog in the terminal – it makes me think there are processes or services overlaying the terminal.
My question:
With AskPassGUI set to no, and no sign of keychain popping up, am I saving/caching/storing either my key, or my passphrase … or anything … inside OSX ?
Or am I having the simple, basic, text only relationship with my terminal that I hope to be having ?
Thanks.
Best Answer
I have no inside information about the MacOS internals, but from my experience using this feature, the passphrase is accepted by the GUI only to add the corresponding key to an ssh-agent. On my system it did not store the passphrase in the keychain (which I also do not want), but I'm not sure that's default behavior. My terminal would report "saving to keychain failed", but I could then ssh using that key until I logged out / restarted. See the "AskPassGUI" and "KeychainIntegration" options in ssh_config (superseded in more recent MacOS versions, though). Because it did not save the passphrase in the keychain, I happily entered my passphrase only once a week (shutting down on the weekend and never logging out).