MacOS – How to disable SSH KeychainIntegration in OS X Mavericks

keychainmacosssh

I'm having some issues with SSH KeychainIntegration in OS X Mavericks. I've tried poking around Apple's support site, but haven't seen anyone having my issue. I have seen lots of people who seemingly don't know how to use SSH that well, so I decided to try another community.

First, my configuration is working. I am able to use my key pair and ssh to hosts as I need to, with my credentials being cached in the agent. I am able to see my cached credentials via "ssh-add -l", as expected. I am prompted to input my password by an OS X-style dialog, with a checkbox that says "Remember password in my keychain". I usually ignore this checkbox, but when I check it, I do see my key stored in the keychain. This key stored in the keychain is seemingly never used, however, since I have a password on it. At least that's what I've gleaned from various things I've read. When I enter my password into the dialog, and the key is cached in the agent, I successfully connect, but not before being told "Saving password to keychain failed". Seeing this error message is what led me to investigate further; I don't like getting an error every time I connect.

Things get interesting when looking at the manpage SSH_CONFIG(5). Two options for dealing with the keychain exist, specific to Apple: AskPassGUI, and KeychainIntegration. You're able to toggle these in ~/.ssh/config, and doing so yields some interesting results.

Setting AskPassGUI to no, you'll no longer be prompted with an OS X-style dialog, instead an input text line in your terminal. No biggie. But if you do this, then ssh-agent will not cache your credentials. This is plainly broken, and frustrating because I could easily live with the text prompt if the credentials were cached.

Setting KeychainIntegration to no, ssh throws a hard error, as follows:

~/.ssh/config: line 11: Bad configuration option: KeychainIntegration
~/.ssh/config: terminating, 1 bad configuration options

My question, simply, is this: Is there a way to actually disable OS X Keychain Integration for SSH?

Best Answer

Based on the source code for the current version of SSH that's shipping with Mavericks (located here), it appears that the functionality of the config option KeychainIntegration has not yet been implemented. I'm making this assumption based on the contents of openssh/readconf.h, which does not reference the KeychainIntegration option. It does, however, reference the askpassgui option. Checking the "keywords" struct in that file does indeed show that the keychainintegration option is not present (which in turn implies that the oBadOption (NULL) op code would be returned).

Another clue implying that the functionality you desire is not implemented in the way the man page specifies is the file: openssh/keychain.c. The source code actually shows that the defaults system (i.e., Property List files) is being used to store settings related to KeychainIntegration. Specifically, lines from the store_in_keychain function reference KeychainIntegration:

/* Bail out if KeychainIntegration preference is -bool NO */
if (get_boolean_preference("KeychainIntegration", 1, 1) == 0) {
    fprintf(stderr, "Keychain integration is disabled.\n");
    goto err;
}

Here is the corresponding get_boolean_preference function. Note that it's using CFPreferencesCopyAppValue to obtain a boolean from the "org.openbsd.openssh" application identifier:

#if defined(__APPLE_KEYCHAIN__)

static int get_boolean_preference(const char *key, int default_value,
int foreground)
{
int value = default_value;
CFStringRef keyRef = NULL;
CFPropertyListRef valueRef = NULL;

keyRef = CFStringCreateWithCString(NULL, key, kCFStringEncodingUTF8);
if (keyRef != NULL)
    valueRef = CFPreferencesCopyAppValue(keyRef,
        CFSTR("org.openbsd.openssh"));
if (valueRef != NULL)
    if (CFGetTypeID(valueRef) == CFBooleanGetTypeID())
        value = CFBooleanGetValue(valueRef);
    else if (foreground)
        fprintf(stderr, "Ignoring nonboolean %s preference.\n", key);

if (keyRef)
    CFRelease(keyRef);
if (valueRef)
    CFRelease(valueRef);

return value;
}

#endif

This might imply that you can disable the KeychainIntegration functionality for yourself by performing this defaults command:

defaults write org.openbsd.openssh KeychainIntegration -bool NO

or to set it for all users:

sudo defaults write /Library/Preferences/org.openbsd.openssh KeychainIntegration -bool NO

Related Solutions

Password dialog appears when SSH private key permissions are set to 0600

Make sure you have a corresponding id_rsa.pub or id_dsa.pub in your ~/.ssh directory.

When I had an id_rsa but not a corresponding id_rsa.pub, Mac OS X kept popping up the dialog and remember passowrd in my keychain did nothing.

cd ~/.ssh
ssh-keygen -y -f id_rsa > id_rsa.pub

generated the appropriate public key file for me.

If you already had your public file there (rename it to another name) and generate the public key again using the above command, you'll notice that the generated and the old one are not equal. Somehow the older versions of Mac OS X generated a public key that Lion does not like anymore, generating it again fixes that.

For the curious, the key is exactly the same, the part that changes is that there is no "comments" section after the key on the file any longer.

Keychain won’t remember the SSH password when connecting to server

There is a lot of conflicting information I've read whenever I look up information on using ssh-agent (passphrase saving/reusing process) under Mac OS X. Most resources seem to suggest that simply issuing ssh-add -K will let you store your passphrase, and will automatically configure OS X to launch ssh-agent automatically and load your stored passphrase.

Note: Running ssh-add -K will only work if you have your private key file in one of the common locations, those locations being limited to: ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/identity. If the file is located anywhere else you should specify that path after the -K in the command above.

The reason you are getting the key file passphrase dialog when connecting to the second (key-less) server is likely because the default configuration of SSH servers is to use public key authentication first, and 'keyboard interactive' authentication second.

Because you have a public key with a standard name/location (~/.ssh/id_rsa), your OpenSSH client helpfully submits the private key in order to allow the server to match it against an allowed authorized_keys file.

There are a small handful of ways to prevent this, the easiest two being to pass a flag on the command line, or add it as a permanent configuration item in your ~/.ssh/config file.

When connecting to the secondary/key-less server, you can add -o "PubkeyAuthentication=no" when connecting. Something like ssh -o "PubkeyAuthentication=no" me@devserver2.
Open up ~/.ssh/config in your favorite text editor, create it first if you must, and enter the following:
```
Host devserver2  
    User me  
    PubkeyAuthentication no
```

Now, if you simply type ssh devserver2 the username and pubkey configuration will be read in and used, and you should be prompted for your password and nothing else.

(Note: Replace devserver2 with the actual hostname of the server. Alternatively, pick a nice hostname, such as devserver2, and add a property between User and PubkeyAuthentication called 'Hostname' and put the name or IP address of the server there. Afterwards, you actually can simply type 'ssh devserver2' and all the configuration properties will work their respective magic.)

Best Answer

Related Solutions

Password dialog appears when SSH private key permissions are set to 0600

Keychain won’t remember the SSH password when connecting to server

Related Question