MacOS – How to remember the SSH key password on a remote system that SSH’s into a second remote system

keychainmacossshterminal

I have three systems:

New MBP (Catalina)
Old MBP (El Capitan)
Raspberry Pi (Raspbian Buster)

I want to SSH from the New MBP to the Old MBP, and then SSH from the Old MBP to the Raspberry Pi.
My final goal is to set-up an rsync backup scheme between the Raspberry Pi and the Old MBP.

✅ I can SSH from the New MBP to the Old MBP without a problem.
✅ When I open screen sharing on the New MBP, connect to Old MBP and SSH from the Old MBP to the Raspberry Pi it works without a problem.
❌ When I SSH from the New MBP to the Old MBP, I can SSH from the Old MBP to the Raspberry Pi, but everytime it asks for a passphrase of the SSH key.

I followed these steps and found I had to set-up some different things as well on the Old MBP before they worked. So the complete things I did are:

SSH from New MBP to Old MBP
Start an SSH agent on the Old MBP: eval "$(ssh-agent -s)"
Add the key: ssh-add -K ~/.ssh/id_rsa and ssh-add -A
Now I can SSH to the Raspberry Pi without a password prompt: ssh user@raspi

As long as I don't logout of the Old MBP session (from step 1) everything is fine.
However, if I:

close the New-Old SSH connection
re-connect from the New MBP to the Old MBP
Try to SSH to the Raspberry Pi

I get prompted for a passphrase again!

How can I get the ssh-agent on the Old MBP remember the passphrase across different SSH sessions?

Best Answer

This answer provided me with a solution.

By using ssh -A user@new-mbp and then ssh user@raspi I re-use the ssh-agent of the New MBP (if I understand it correctly) on the Old MBP and can login on the Raspberry Pi using an SSH key without being prompted for a password.

Automatically Added Keys

There are three ways SSH keys are added to ssh-agent in Snow Leopard.

manually, with ssh-add,
automatically, by ssh when you supply a key’s passphrase via the GUI prompt, and
automatically, by ssh-agent when it first starts.

The last two methods are Apple extensions: there are no “automatic” additions with stock OpenSSH. All references to ssh, ssh-agent, and ssh-add below are to Apple’s Snow Leopard versions unless I prefix the program name with the adjective “stock”.

You can disable all of Apple’s keychain-oriented SSH modifications with a (undocumented?) preference setting:

defaults write org.openbsd.openssh KeychainIntegration -bool false

Keys Added Automatically By ssh

(This is the part I missed in the previous version of my original answer since I usually use a “stock” ssh.)

Whenever ssh tries to use a passphrase protected SSH key to authenticate itself to a remote host, it will issue a GUI prompt for the SSH key’s password. The key is also loaded into the agent (if the passphrase is correct) whether or not you mark the “Remember password in my keychain” checkbox.

There are two (undocumented?) ways to prevent ssh from issuing this GUI prompt (and thus adding the SSH key to the ssh-agent):

A preference setting:

defaults write org.openbsd.openssh AskPassGUI -bool false

An ssh_config entry (or -o option to ssh) that specifies AskPassGUI no.

(see keychain_read_passphrase in keychain.c; the oAskPassGUI parameter comes from the AskPassGUI configuration setting)

When AskPassGUI is disabled, ssh will prompt you in the normal way for the key’s password (i.e. through the tty).

You could also avoid automatic adds from ssh by using a “stock” ssh (e.g. OpenSSH compiled by MacPorts, Homebrew “duplicates” from homebrew-alt, or Fink).

Keys Added Automatically By ssh-agent

The keys that ssh-agent automatically adds are those that have their passphrases stored in a keychain. These “remembered keys” are automatically added when a new ssh-agent starts. There is no command line or configuration option (other than KeychainIntegration, described above) to prevent ssh-agent from automatically loading the “remembered keys” (see the call to process_add_from_keychain (defined in keychain.c) from main in ssh-agent.c). If, however, you can arrange to lock the keychains that store your SSH key passphrases, you can click Cancel when ssh-agent asks to unlock the keychain(s) and effectively get ssh-agent to skip adding these “remembered keys” when it first starts.

If there is no ssh-agent running, your first use of ssh will likely trigger launchd to start an ssh-agent which will load all the “remembered keys”. This makes it seem like ssh is loading the keys into the agent, but it is really the agent itself that is loading the keys. It only does this automatically when it first starts.

The -k option of ssh-add provides a manual way to add the “remembered keys” (see add_from_keychain in ssh-add.c which ends up as a message to the agent which calls process_add_from_keychain from process_message in ssh-agent.c).

launchd Configuration

You are right that a system update could overwrite your modification to the file in /System/Library/LaunchAgents/. You should always avoid changing things under /System/; most things can be (re)configured without making changes there. In this case, it looks like you should be able to override the system default launchd job specification on a per-user basis with a file in ~/Library/LaunchAgents/.

From what I can tell¹, entries are loaded in this order²:

~/Library/LaunchAgents/
/Library/LaunchAgents/
/Network/Library/LaunchAgents/ (not present on most systems)
/System/Library/LaunchAgents/

It does not seem to be documented, but only the first job configuration for each Label (e.g. org.openbsd.ssh-agent) will be kept. Any configuration from a later directory with the same Label as a configuration from an earlier directory is effectively skipped.

¹ See NSStartSearchPathEnumeration used in launchctl.c and defined in NSSystemDirectories.h/NSSystemDirectories.c.

² launchd also looks in the LaunchDaemons/ directories next to the various LaunchAgents/ directories for other types of jobs.

MacOS – How to disable SSH KeychainIntegration in OS X Mavericks

Based on the source code for the current version of SSH that's shipping with Mavericks (located here), it appears that the functionality of the config option KeychainIntegration has not yet been implemented. I'm making this assumption based on the contents of openssh/readconf.h, which does not reference the KeychainIntegration option. It does, however, reference the askpassgui option. Checking the "keywords" struct in that file does indeed show that the keychainintegration option is not present (which in turn implies that the oBadOption (NULL) op code would be returned).

Another clue implying that the functionality you desire is not implemented in the way the man page specifies is the file: openssh/keychain.c. The source code actually shows that the defaults system (i.e., Property List files) is being used to store settings related to KeychainIntegration. Specifically, lines from the store_in_keychain function reference KeychainIntegration:

/* Bail out if KeychainIntegration preference is -bool NO */
if (get_boolean_preference("KeychainIntegration", 1, 1) == 0) {
    fprintf(stderr, "Keychain integration is disabled.\n");
    goto err;
}

Here is the corresponding get_boolean_preference function. Note that it's using CFPreferencesCopyAppValue to obtain a boolean from the "org.openbsd.openssh" application identifier:

#if defined(__APPLE_KEYCHAIN__)

static int get_boolean_preference(const char *key, int default_value,
int foreground)
{
int value = default_value;
CFStringRef keyRef = NULL;
CFPropertyListRef valueRef = NULL;

keyRef = CFStringCreateWithCString(NULL, key, kCFStringEncodingUTF8);
if (keyRef != NULL)
    valueRef = CFPreferencesCopyAppValue(keyRef,
        CFSTR("org.openbsd.openssh"));
if (valueRef != NULL)
    if (CFGetTypeID(valueRef) == CFBooleanGetTypeID())
        value = CFBooleanGetValue(valueRef);
    else if (foreground)
        fprintf(stderr, "Ignoring nonboolean %s preference.\n", key);

if (keyRef)
    CFRelease(keyRef);
if (valueRef)
    CFRelease(valueRef);

return value;
}

#endif

This might imply that you can disable the KeychainIntegration functionality for yourself by performing this defaults command:

defaults write org.openbsd.openssh KeychainIntegration -bool NO

or to set it for all users:

sudo defaults write /Library/Preferences/org.openbsd.openssh KeychainIntegration -bool NO

Best Answer

Related Solutions

How to prevent ssh from adding the key to ssh-agent on Snow Leopard

Automatically Added Keys

Keys Added Automatically By ssh

Keys Added Automatically By ssh-agent

launchd Configuration

MacOS – How to disable SSH KeychainIntegration in OS X Mavericks

Related Question