qdwcpg
Last Updated: December 07, 2016
·
10.71K
· jinnko
Jinn

Using the latest SSH from Homebrew on OSX

OSX 10.9 Mavericks own stock version of OpenSSH is OpenSSH_6.2p2, while the latest in Homebrew is OpenSSH_6.9p1. Unfortunately it appears the ssh-agent protocol between these OpenSSH versions doesn't play nice together.

Normally OSX has good integration between SSH, password protected private keys and the system keychain, similar to what ssh-agent normally provides. It does this by providing an SSH_AUTH_SOCK on boot via launchd and exporting that variable to all processes. The auth socket is normally at /tmp/launch-xxxxxx/Listeners.

To use the Homebrew OpenSSH version with OSX keychain support and a single ssh-agent instance you'll need to:

  1. Start the ssh-agent with launchd. Edit /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist to look like the following. Note the important part here is the argument to the ProgramAgurments key, i.e. the -D instead of what was previously there.

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
        <dict>
            <key>Label</key>
            <string>org.openbsd.ssh-agent</string>
            <key>ProgramArguments</key>
            <array>
                <string>/usr/local/bin/ssh-agent</string>
                <string>-D</string>
            </array>
            <key>ServiceIPC</key>
            <true/>
            <key>Sockets</key>
            <dict>
                <key>Listeners</key>
                <dict>
                    <key>SecureSocketWithKey</key>
                    <string>SSH_AUTH_SOCK</string>
                </dict>
            </dict>
            <key>EnableTransactions</key>
            <true/>
        </dict>
    </plist>
  2. Restart the service and confirm it's running:

    $ launchctl unload /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
    $ launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
    $ launchctl start org.openbsd.ssh-agent
    $ launchctl list | grep org.openbsd.ssh-agent
    731 -   org.openbsd.ssh-agent

    If the process didn't start instead you'll see:

    -   0   org.openbsd.ssh-agent
  3. Now you need to configure your shell environment to make use of this running ssh-agent instance. To do so first we need a password helper script.

    $ cat /usr/local/bin/ssh-ask-keychain
    #!/bin/sh
    
    security find-generic-password -l "SSH: ${HOME}/.ssh/id_rsa" -gw

    Remember to make this script executable.

  4. Finally we need the magic in our shell rc file. The following code is inspired by gpg-agent's method of using a single agent process.

    #
    # Use single ssh-agent launched by launchd
    #
    export SSH_ASKPASS=/usr/local/bin/ssh-ask-keychain
    if test -f $HOME/.ssh-agent-pid && kill -0 `cat $HOME/.ssh-agent-pid` 2>/dev/null; then
      SSH_AUTH_SOCK=`cat $HOME/.ssh-auth-sock`
      SSH_AGENT_PID=`cat $HOME/.ssh-agent-pid`
      export SSH_AUTH_SOCK SSH_AGENT_PID
    else
    
      # Discover the running ssh-agent started by launchd
      export SSH_AGENT_PID=$(pgrep -U $USER ssh-agent)
      if [ -n "$SSH_AGENT_PID" ]; then
        export SSH_AUTH_SOCK=$(lsof -U -a -p $SSH_AGENT_PID -F n | grep '^n/' | cut -c2-)
        echo "$SSH_AUTH_SOCK" >! ${HOME}/.ssh-auth-sock
        echo "$SSH_AGENT_PID" >! ${HOME}/.ssh-agent-pid
      else
        echo "No running ssh-agent found.  Check your launchd service."
      fi
    
      # Add all the local keys, getting the passphrase from keychain, helped by the $SSH_ASKPASS script.
      ssh-add < /dev/null
    fi

Start a new shell terminal and you should be able to establish new SSH connections without being prompted for a password.

With this setup you could also add any flags you may want to the ssh-agent, for example if you wanted to expire identities added to the agent after one hour you could add -t 3600 to the plist file.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Label</key>
        <string>org.openbsd.ssh-agent</string>
        <key>ProgramArguments</key>
        <array>
            <string>/usr/local/bin/ssh-agent</string>
            <string>-D</string>
            <string>-t 3600</string>
        </array>
        <key>ServiceIPC</key>
        <true/>
        <key>Sockets</key>
        <dict>
            <key>Listeners</key>
            <dict>
                <key>SecureSocketWithKey</key>
                <string>SSH_AUTH_SOCK</string>
            </dict>
        </dict>
        <key>EnableTransactions</key>
        <true/>
    </dict>
</plist>
Say Thanks
Respond

1 Response
Add your response

28364

could you please tell me how will i revert back to the stock ssh because i can not get it to work and ssh is not working anymore. i need the old ssh, please help

12 months ago ·
Filed Under