Based on the source code for the current version of SSH that's shipping with Mavericks (located here), it appears that the functionality of the config option KeychainIntegration
has not yet been implemented. I'm making this assumption based on the contents of openssh/readconf.h, which does not reference the KeychainIntegration
option. It does, however, reference the askpassgui
option. Checking the "keywords" struct in that file does indeed show that the keychainintegration
option is not present (which in turn implies that the oBadOption
(NULL) op code would be returned).
Another clue implying that the functionality you desire is not implemented in the way the man page specifies is the file: openssh/keychain.c. The source code actually shows that the defaults
system (i.e., Property List files) is being used to store settings related to KeychainIntegration
. Specifically, lines from the store_in_keychain
function reference KeychainIntegration:
/* Bail out if KeychainIntegration preference is -bool NO */
if (get_boolean_preference("KeychainIntegration", 1, 1) == 0) {
fprintf(stderr, "Keychain integration is disabled.\n");
goto err;
}
Here is the corresponding get_boolean_preference
function. Note that it's using CFPreferencesCopyAppValue
to obtain a boolean from the "org.openbsd.openssh" application identifier:
#if defined(__APPLE_KEYCHAIN__)
static int get_boolean_preference(const char *key, int default_value,
int foreground)
{
int value = default_value;
CFStringRef keyRef = NULL;
CFPropertyListRef valueRef = NULL;
keyRef = CFStringCreateWithCString(NULL, key, kCFStringEncodingUTF8);
if (keyRef != NULL)
valueRef = CFPreferencesCopyAppValue(keyRef,
CFSTR("org.openbsd.openssh"));
if (valueRef != NULL)
if (CFGetTypeID(valueRef) == CFBooleanGetTypeID())
value = CFBooleanGetValue(valueRef);
else if (foreground)
fprintf(stderr, "Ignoring nonboolean %s preference.\n", key);
if (keyRef)
CFRelease(keyRef);
if (valueRef)
CFRelease(valueRef);
return value;
}
#endif
This might imply that you can disable the KeychainIntegration
functionality for yourself by performing this defaults command:
defaults write org.openbsd.openssh KeychainIntegration -bool NO
or to set it for all users:
sudo defaults write /Library/Preferences/org.openbsd.openssh KeychainIntegration -bool NO
Turns out that SSH recently switched from using MD5 fingerprints (what I refer to as a "traditional" fingerprint) and now uses SHA256 fingerprints (what I referred to as gobbledygook).
I'm guessing that with El Capitan OS X is now using a newer version of SSH that is using the new SHA256 default.
For those of you who find this, although SSH will give you an SHA256 fingerprint by default, you can ask SSH to give you an MD5 Fingerprint.
ssh -o FingerprintHash=md5 [server]
It appears that on my Mac, that the command
ssh-keygen -lf /path/to/key
now defaults to an SHA 256 fingerprint. However, if you're using Ubuntu, it looks like ssh-keygen is still defaulting to MD5 (maybe I need to update my ssh package on Ubuntu).
Here is the post that I finally found once I started using the right terminology:
https://superuser.com/questions/929566/sha256-ssh-fingerprint-given-by-the-client-but-only-md5-fingerprint-known-for-se
Best Answer
The manpage describes the ability to generate ECC keys because the version of OpenSSH 5.9p1 (the version that comes with Mountain Lion) can potentially support ECC. However, the actual build of OpenSSH that came bundled with Mountain Lion appears to lack ECC support1. The manpages are not modified when ECC support is not included in the compiled binaries.
If you want or need ECC support, you could use MacPorts (or probably Homebrew) to install a build of OpenSSH that does support ECC. You might run into some incompatibilities though:
1 OpenSSH’s configure script does some checks to make sure that the available OpenSSL library is new enough and includes various bits of ECC functionality; the bundled version of OpenSSL seems to satisfy these requirements. I am not sure why the bundled version of OpenSSH was built without ECC support.