As a devops/sysadmin (whatever those titles mean to you), I rely on SSH pretty much all the time. Also I am very paranoiac regarding security and my various SSH keys, this led me to completely disable the ssh-agent a long time ago because I didn't want my password stored in the OS X keychain for an indefinite period of time (especially because I'm almost never rebooting my machine) in case something really bad happens like my machine getting stolen.
However, today I ran into a small issue regarding this setup when I wanted to deploy an application using capistrano (something I hadn't done since forever) from my machine which I don't usually do (I have a tool similar to capistrano but I push archives directly onto a set of servers without relying on an external SCM server) and realised that since my ssh-agent was disabled ssh forwarding was a no go.
First thing I did is upgrade my ssh-agent using homebrew and using the following article: http://www.dctrwatson.com/2013/07/how-to-update-openssh-on-mac-os-x/. Then I used this discussion thread: https://discussions.apple.com/thread/2135145 to find a way to set a timeout to my ssh-agent. At first, I thought it was a good idea to set the timeout to 10 seconds but somehow it's a bit short when deploying through capistrano so I finally settled it to 120 seconds so now my plist looks like this:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>org.openbsd.ssh-agent</string> <key>ProgramArguments</key> <array> <string>/usr/local/bin/ssh-agent</string> <string>-l</string> <string>-t</string> <string>120</string> </array> <key>ServiceIPC</key> <true/> <key>Sockets</key> <dict> <key>Listeners</key> <dict> <key>SecureSocketWithKey</key> <string>SSH_AUTH_SOCK</string> </dict> </dict> <key>EnableTransactions</key> <true/> </dict> </plist>
For the moment it's satisfying enough even if I have to manually enter my key(s) in the agent every two minutes if I want to use them on a remote server allowing agent forwarding. Also, setting the right key(s) in the ssh options of capistrano is a big help for selecting which key(s) to use when deploying.