MacOS – ssh-under-cron stops working in OS X 10.7 Lion

cronlaunchdmacosssh

Just upgraded from Snow Leopard to Lion, and my cron jobs that use ssh have stopped working. It appears that ssh-agent is no longer functioning as expected.

Here's a bowdlerized version of my called-from-cron script that worked great under Snow Leopard:

#!/bin/bash
whoami # just to verify I'm running as myself, not root
ssh-agent # just to see what it outputs    
eval `ssh-agent`
ssh -vvv REMOTESERVER ls

When run from the command prompt, this script works as expected.

When run from cron, it doesn't work. The ssh-agent output looks normal:

SSH_AUTH_SOCK=/tmp/ssh-QRxPUMRxbu/agent.17147; export SSH_AUTH_SOCK;
SSH_AGENT_PID=17148; export SSH_AGENT_PID;
echo Agent pid 17148;
Agent pid 17150

But the ssh -vvv output shows that it fails right when the private key should be read:

debug1: Server accepts key: pkalg ssh-dss blen 818
debug2: input_userauth_pk_ok: fp ...
debug3: sign_and_send_pubkey: DSA ...
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
debug1: read_passphrase: can't open /dev/tty: Device not configured
debug2: no passphrase given, try next key

In other words, it's expecting me to type in the passphrase for ~/.ssh/id_dsa, which of course doesn't work in cron jobs.

This all worked in Snow Leopard.

Note that I've got Keychain Access setup so that ssh, ssh-agent, and ssh-add are allowed to read my passphrase for my .ssh/id_dsa file – as a result I can SSH from a terminal prompt without ever having to enter my passphrase.

Is this issue that I need to run ssh-add at some point in my login process? Running it from a standard bash prompt doesn't help the cron job out (although, oddly, it does prompt me for my passphrase … which I would think isn't necessary b/c of the Keychain Access configuration).

NOTE 1 – before redirecting me – I'm aware there's a similar question here (
Mac OS X Lion and sshpass) but it's specifically about a program sshpass that I don't use (although I believe that question would be answered by this one as well).

NOTE 2 – I realize that passphrase-less SSH keys would solve my problem; however I'd prefer not to go this route.

Best Answer

For anyone who ends up on this page, I realized I should post the answer:

Using launchd instead of cron does indeed fix the authorization problem. Your user launchd jobs (which run only when you are logged in) correctly use the SSH agent information that was unlocked via your keychain as part of login (as part of standard OS X key management, no other software required).

To minimize my interactions with launchd, I created a single launchd job that calls a bash script. In this way I can simply edit the script without dealing with launchd.

Here's the launchd file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Label</key>
  <string>com.mycron.hourly</string>

  <key>ProgramArguments</key>
  <array>
    <string>/Users/john/bin/cron.hourly</string>
  </array>

  <key>Nice</key>
  <integer>1</integer>

  <key>StartInterval</key>
  <integer>3600</integer> <!-- start every X seconds -->

  <key>RunAtLoad</key>
  <true/>
</dict>
</plist>

I saved the file to ~/Library/LaunchAgents/com.mycron.hourly.plist, and then loaded it with:

launchctl load ~/Library/LaunchAgents/com.mycron.hourly.plist

Once loaded, it will run right away and then again every 60 minutes.

If you follow the same procedure, you'll want to change the `ProgramArguments' string with the right path to your script.

Automatically Added Keys

There are three ways SSH keys are added to ssh-agent in Snow Leopard.

manually, with ssh-add,
automatically, by ssh when you supply a key’s passphrase via the GUI prompt, and
automatically, by ssh-agent when it first starts.

The last two methods are Apple extensions: there are no “automatic” additions with stock OpenSSH. All references to ssh, ssh-agent, and ssh-add below are to Apple’s Snow Leopard versions unless I prefix the program name with the adjective “stock”.

You can disable all of Apple’s keychain-oriented SSH modifications with a (undocumented?) preference setting:

defaults write org.openbsd.openssh KeychainIntegration -bool false

Keys Added Automatically By ssh

(This is the part I missed in the previous version of my original answer since I usually use a “stock” ssh.)

Whenever ssh tries to use a passphrase protected SSH key to authenticate itself to a remote host, it will issue a GUI prompt for the SSH key’s password. The key is also loaded into the agent (if the passphrase is correct) whether or not you mark the “Remember password in my keychain” checkbox.

There are two (undocumented?) ways to prevent ssh from issuing this GUI prompt (and thus adding the SSH key to the ssh-agent):

A preference setting:

defaults write org.openbsd.openssh AskPassGUI -bool false

An ssh_config entry (or -o option to ssh) that specifies AskPassGUI no.

(see keychain_read_passphrase in keychain.c; the oAskPassGUI parameter comes from the AskPassGUI configuration setting)

When AskPassGUI is disabled, ssh will prompt you in the normal way for the key’s password (i.e. through the tty).

You could also avoid automatic adds from ssh by using a “stock” ssh (e.g. OpenSSH compiled by MacPorts, Homebrew “duplicates” from homebrew-alt, or Fink).

Keys Added Automatically By ssh-agent

The keys that ssh-agent automatically adds are those that have their passphrases stored in a keychain. These “remembered keys” are automatically added when a new ssh-agent starts. There is no command line or configuration option (other than KeychainIntegration, described above) to prevent ssh-agent from automatically loading the “remembered keys” (see the call to process_add_from_keychain (defined in keychain.c) from main in ssh-agent.c). If, however, you can arrange to lock the keychains that store your SSH key passphrases, you can click Cancel when ssh-agent asks to unlock the keychain(s) and effectively get ssh-agent to skip adding these “remembered keys” when it first starts.

If there is no ssh-agent running, your first use of ssh will likely trigger launchd to start an ssh-agent which will load all the “remembered keys”. This makes it seem like ssh is loading the keys into the agent, but it is really the agent itself that is loading the keys. It only does this automatically when it first starts.

The -k option of ssh-add provides a manual way to add the “remembered keys” (see add_from_keychain in ssh-add.c which ends up as a message to the agent which calls process_add_from_keychain from process_message in ssh-agent.c).

launchd Configuration

You are right that a system update could overwrite your modification to the file in /System/Library/LaunchAgents/. You should always avoid changing things under /System/; most things can be (re)configured without making changes there. In this case, it looks like you should be able to override the system default launchd job specification on a per-user basis with a file in ~/Library/LaunchAgents/.

From what I can tell¹, entries are loaded in this order²:

~/Library/LaunchAgents/
/Library/LaunchAgents/
/Network/Library/LaunchAgents/ (not present on most systems)
/System/Library/LaunchAgents/

It does not seem to be documented, but only the first job configuration for each Label (e.g. org.openbsd.ssh-agent) will be kept. Any configuration from a later directory with the same Label as a configuration from an earlier directory is effectively skipped.

¹ See NSStartSearchPathEnumeration used in launchctl.c and defined in NSSystemDirectories.h/NSSystemDirectories.c.

² launchd also looks in the LaunchDaemons/ directories next to the various LaunchAgents/ directories for other types of jobs.

MacOS – Mac OS X Lion and sshpass

You should first file a complaint with the server's administration, observing that public key authentication is vastly more secure than simply a password, but I'll assume you've already done so, and your admins are simply idiots.

Apple sadly removed ssh-askpass when they integrated its functionality into ssh, scp, and ssh-add. There is however an SSHKeychain package that provides an ssh-askpass with an Apple-like Cocoa password prompt for macports' openssh package. It should fix your problems the way you want, perhaps even setting the SSH_ASKPASS variable for you.

Just fyi, I'd usually recommend against installing the openssh macports package itself because it break your Apple password prompt, but once you've installed SSHKeychain macports usually offers a more recent openssh than Apple.

There is nothing wrong imho with embedding passwords in scripts when the server disables public key authentication, i.e. if they cared about security, they should reenable public keys. There are even servers that intentionally break sshpass. You could access such machines using the following expect script :

#!/usr/bin/expect -f
set timeout -1
set send_human {.05 0.1 1 .07 1.5}
eval spawn $argv
match_max 100000
expect {
   -re "USERNAME@(\[0-9A-Za-z_\\-\\.\]+)'s password: "
     { sleep 0.1 ; send -- "PASSWORD\r" ; sleep 0.3 }
}
interact

You may speed up this script by reducing the sleeps and send_human delays.

Best Answer

Related Solutions

How to prevent ssh from adding the key to ssh-agent on Snow Leopard

Automatically Added Keys

Keys Added Automatically By ssh

Keys Added Automatically By ssh-agent

launchd Configuration

MacOS – Mac OS X Lion and sshpass

Related Question