MacOS – SSH, passphrases, keychains, Could not open a connection to your authentication agent

keychainmacossshterminal

I will be very surprised if anyone has the answer to this. I have googled for a long time but no luck.

As an iOS developer who will shortly be welcoming a new team member I want to set up a continuous integration server so that anyone who checks in code will kick off a build, which will in turn set the status of a build light providing a visual indication of code status. If the build breaks it won't stay that way for long because we'll see a big red light.

The ingredients I picked to make this work are Jenkins, Git and a Mac mini. Day to day I won't have physical access to the mini but the build light is controlled by ethernet – no problem.

The first step in getting Jenkins to manage a build is to clone the git repository. For obvious reasons it discards any old code and grabs a copy of the entire repository. I'm using a git "Repository URL" of gitfella@boardroom.local:repo/ProjectName.git. Naturally I did 'su - jenkins' and become user jenkins, then going through the process of scp id_rsa.pub gitfella@boardroom.local. As gitfella I appended that public key to authorized_hosts.

The surprise came when I went back to being user jenkins and tried ssh gitfella@boardroom.local – I was asked for the passphrase for jenkins. At this stage I realised the repository clone was failing because the passphrase could not be entered while Jenkins was running without an interactive shell.

The way to get the passphrase into the keychain is ssh-add -K (and prior to Lion I don't remember having to do this ever) but this does not work in a ssh shell, it fails with the message Could not open a connection to your authentication agent. Executing ssh-agent shows the environment variables that need to be set to allow this to happen, and once that's done ssh-add -K works. Then the git clone is OK. Then I thought the problem was solved but next ssh login I'm asked for the passphrase again.

I now have the git clone phase of the build working but I would rather not have to remove the passphrase for Jenkins entirely…

How can ssh-agent values be set on every invocations of this Jenkins build process? Jenkins is started by executing launchctl load /Library/LaunchDaemons/org.jenkins-ci.plist – would it be possible to set the ssh-agent environment in here somehow? Would these settings persist as long as Jenkins does (per boot)? I'm reluctant to mess with this now I have this little problem mostly sorted, but maybe some expert knows the right fix.

Best Answer

The ssh-add -K command add the key to the Apple's Keychain, but there is a SSH specific keychain, unrelated do the Apple's one.

It runs as a deamon and interacts only with SSH.

I don't know if this will help you, but I have strong feeling that it will.

Keychain is available as a homebrew package so if you get nomebrew available at your system to install it just type brew install keychan. After that a man keychain will help a lot.

Automatically Added Keys

There are three ways SSH keys are added to ssh-agent in Snow Leopard.

manually, with ssh-add,
automatically, by ssh when you supply a key’s passphrase via the GUI prompt, and
automatically, by ssh-agent when it first starts.

The last two methods are Apple extensions: there are no “automatic” additions with stock OpenSSH. All references to ssh, ssh-agent, and ssh-add below are to Apple’s Snow Leopard versions unless I prefix the program name with the adjective “stock”.

You can disable all of Apple’s keychain-oriented SSH modifications with a (undocumented?) preference setting:

defaults write org.openbsd.openssh KeychainIntegration -bool false

Keys Added Automatically By ssh

(This is the part I missed in the previous version of my original answer since I usually use a “stock” ssh.)

Whenever ssh tries to use a passphrase protected SSH key to authenticate itself to a remote host, it will issue a GUI prompt for the SSH key’s password. The key is also loaded into the agent (if the passphrase is correct) whether or not you mark the “Remember password in my keychain” checkbox.

There are two (undocumented?) ways to prevent ssh from issuing this GUI prompt (and thus adding the SSH key to the ssh-agent):

A preference setting:

defaults write org.openbsd.openssh AskPassGUI -bool false

An ssh_config entry (or -o option to ssh) that specifies AskPassGUI no.

(see keychain_read_passphrase in keychain.c; the oAskPassGUI parameter comes from the AskPassGUI configuration setting)

When AskPassGUI is disabled, ssh will prompt you in the normal way for the key’s password (i.e. through the tty).

You could also avoid automatic adds from ssh by using a “stock” ssh (e.g. OpenSSH compiled by MacPorts, Homebrew “duplicates” from homebrew-alt, or Fink).

Keys Added Automatically By ssh-agent

The keys that ssh-agent automatically adds are those that have their passphrases stored in a keychain. These “remembered keys” are automatically added when a new ssh-agent starts. There is no command line or configuration option (other than KeychainIntegration, described above) to prevent ssh-agent from automatically loading the “remembered keys” (see the call to process_add_from_keychain (defined in keychain.c) from main in ssh-agent.c). If, however, you can arrange to lock the keychains that store your SSH key passphrases, you can click Cancel when ssh-agent asks to unlock the keychain(s) and effectively get ssh-agent to skip adding these “remembered keys” when it first starts.

If there is no ssh-agent running, your first use of ssh will likely trigger launchd to start an ssh-agent which will load all the “remembered keys”. This makes it seem like ssh is loading the keys into the agent, but it is really the agent itself that is loading the keys. It only does this automatically when it first starts.

The -k option of ssh-add provides a manual way to add the “remembered keys” (see add_from_keychain in ssh-add.c which ends up as a message to the agent which calls process_add_from_keychain from process_message in ssh-agent.c).

launchd Configuration

You are right that a system update could overwrite your modification to the file in /System/Library/LaunchAgents/. You should always avoid changing things under /System/; most things can be (re)configured without making changes there. In this case, it looks like you should be able to override the system default launchd job specification on a per-user basis with a file in ~/Library/LaunchAgents/.

From what I can tell¹, entries are loaded in this order²:

~/Library/LaunchAgents/
/Library/LaunchAgents/
/Network/Library/LaunchAgents/ (not present on most systems)
/System/Library/LaunchAgents/

It does not seem to be documented, but only the first job configuration for each Label (e.g. org.openbsd.ssh-agent) will be kept. Any configuration from a later directory with the same Label as a configuration from an earlier directory is effectively skipped.

¹ See NSStartSearchPathEnumeration used in launchctl.c and defined in NSSystemDirectories.h/NSSystemDirectories.c.

² launchd also looks in the LaunchDaemons/ directories next to the various LaunchAgents/ directories for other types of jobs.

MacOS – OSX ssh-agent: no password pasting, and problem with PKCS#8

The dialog for ssh-agent can be circumvented by adding the key in the console/terminal: ssh-add ~/.ssh/id_rsa. You can then paste the password into the terminal. Also, adding the -K option to ssh-add will save it to the keychain as per Oliver Lacans comment.
As mattmcmanus said, id_rsa encryption using PKCS seems to be broken on OSX Mavericks ssh-agent. The fast workaround is to decrypt the keyfile, and encrypt it again with the standard ssh procedure (Key-derivation method: MD5...):

mv id_rsa id_rsa.pkcs
openssl rsa -in id_rsa.pkcs -out id_rsa
# enter passphrase to decrypt
chmod 0600 id_rsa
ssh-keygen -f id_rsa -p
# enter passphrase to encrypt again

Best Answer

Related Solutions

How to prevent ssh from adding the key to ssh-agent on Snow Leopard

Automatically Added Keys

Keys Added Automatically By ssh

Keys Added Automatically By ssh-agent

launchd Configuration

MacOS – OSX ssh-agent: no password pasting, and problem with PKCS#8

Related Question