Using the latest SSH from Homebrew on OSX
OSX 10.9 Mavericks own stock version of OpenSSH is OpenSSH_6.2p2, while the latest in Homebrew is OpenSSH_6.9p1. Unfortunately it appears the ssh-agent protocol between these OpenSSH versions doesn't play nice together.
Normally OSX has good integration between SSH, password protected private keys and the system keychain, similar to what ssh-agent normally provides. It does this by providing an SSH_AUTH_SOCK on boot via launchd and exporting that variable to all processes. The auth socket is normally at /tmp/launch-xxxxxx/Listeners.
To use the Homebrew OpenSSH version with OSX keychain support and a single ssh-agent instance you'll need to:
-
Start the
ssh-agentwith launchd. Edit/System/Library/LaunchAgents/org.openbsd.ssh-agent.plistto look like the following. Note the important part here is the argument to the ProgramAgurments key, i.e. the-Dinstead of what was previously there.<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>org.openbsd.ssh-agent</string> <key>ProgramArguments</key> <array> <string>/usr/local/bin/ssh-agent</string> <string>-D</string> </array> <key>ServiceIPC</key> <true/> <key>Sockets</key> <dict> <key>Listeners</key> <dict> <key>SecureSocketWithKey</key> <string>SSH_AUTH_SOCK</string> </dict> </dict> <key>EnableTransactions</key> <true/> </dict> </plist> -
Restart the service and confirm it's running:
$ launchctl unload /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist $ launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist $ launchctl start org.openbsd.ssh-agent $ launchctl list | grep org.openbsd.ssh-agent 731 - org.openbsd.ssh-agentIf the process didn't start instead you'll see:
- 0 org.openbsd.ssh-agent -
Now you need to configure your shell environment to make use of this running ssh-agent instance. To do so first we need a password helper script.
$ cat /usr/local/bin/ssh-ask-keychain #!/bin/sh security find-generic-password -l "SSH: ${HOME}/.ssh/id_rsa" -gwRemember to make this script executable.
-
Finally we need the magic in our shell rc file. The following code is inspired by gpg-agent's method of using a single agent process.
# # Use single ssh-agent launched by launchd # export SSH_ASKPASS=/usr/local/bin/ssh-ask-keychain if test -f $HOME/.ssh-agent-pid && kill -0 `cat $HOME/.ssh-agent-pid` 2>/dev/null; then SSH_AUTH_SOCK=`cat $HOME/.ssh-auth-sock` SSH_AGENT_PID=`cat $HOME/.ssh-agent-pid` export SSH_AUTH_SOCK SSH_AGENT_PID else # Discover the running ssh-agent started by launchd export SSH_AGENT_PID=$(pgrep -U $USER ssh-agent) if [ -n "$SSH_AGENT_PID" ]; then export SSH_AUTH_SOCK=$(lsof -U -a -p $SSH_AGENT_PID -F n | grep '^n/' | cut -c2-) echo "$SSH_AUTH_SOCK" >! ${HOME}/.ssh-auth-sock echo "$SSH_AGENT_PID" >! ${HOME}/.ssh-agent-pid else echo "No running ssh-agent found. Check your launchd service." fi # Add all the local keys, getting the passphrase from keychain, helped by the $SSH_ASKPASS script. ssh-add < /dev/null fi
Start a new shell terminal and you should be able to establish new SSH connections without being prompted for a password.
With this setup you could also add any flags you may want to the ssh-agent, for example if you wanted to expire identities added to the agent after one hour you could add -t 3600 to the plist file.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>org.openbsd.ssh-agent</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/bin/ssh-agent</string>
<string>-D</string>
<string>-t 3600</string>
</array>
<key>ServiceIPC</key>
<true/>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>SecureSocketWithKey</key>
<string>SSH_AUTH_SOCK</string>
</dict>
</dict>
<key>EnableTransactions</key>
<true/>
</dict>
</plist>Written by Jinn Koriech
Related protips
1 Response
could you please tell me how will i revert back to the stock ssh because i can not get it to work and ssh is not working anymore. i need the old ssh, please help
Have a fresh tip? Share with Coderwall community!
