Last Updated: February 25, 2016
·
773
· Keeguon

Toying with the OS X ssh-agent

#security
#ssh
#os x
#capistrano

As a devops/sysadmin (whatever those titles mean to you), I rely on SSH pretty much all the time. Also I am very paranoiac regarding security and my various SSH keys, this led me to completely disable the ssh-agent a long time ago because I didn't want my password stored in the OS X keychain for an indefinite period of time (especially because I'm almost never rebooting my machine) in case something really bad happens like my machine getting stolen.

However, today I ran into a small issue regarding this setup when I wanted to deploy an application using capistrano (something I hadn't done since forever) from my machine which I don't usually do (I have a tool similar to capistrano but I push archives directly onto a set of servers without relying on an external SCM server) and realised that since my ssh-agent was disabled ssh forwarding was a no go.

First thing I did is upgrade my ssh-agent using homebrew and using the following article: http://www.dctrwatson.com/2013/07/how-to-update-openssh-on-mac-os-x/. Then I used this discussion thread: https://discussions.apple.com/thread/2135145 to find a way to set a timeout to my ssh-agent. At first, I thought it was a good idea to set the timeout to 10 seconds but somehow it's a bit short when deploying through capistrano so I finally settled it to 120 seconds so now my plist looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>org.openbsd.ssh-agent</string>
    <key>ProgramArguments</key>
    <array>
    <string>/usr/local/bin/ssh-agent</string>
        <string>-l</string>
        <string>-t</string>
        <string>120</string>
    </array>
    <key>ServiceIPC</key>
    <true/>
    <key>Sockets</key>
    <dict>
        <key>Listeners</key>
        <dict>
            <key>SecureSocketWithKey</key>
            <string>SSH_AUTH_SOCK</string>
        </dict>
    </dict>
        <key>EnableTransactions</key>
        <true/>
</dict>
</plist>

For the moment it's satisfying enough even if I have to manually enter my key(s) in the agent every two minutes if I want to use them on a remote server allowing agent forwarding. Also, setting the right key(s) in the ssh options of capistrano is a big help for selecting which key(s) to use when deploying.

Peace.

#security
#ssh
#os x
#capistrano

Written by Félix Bellanger

Say Thanks
Respond

Related protips

Goodbye PHP Sessions, Hello JSON Web Tokens

231K
21

GPG: Change email for key in PGP key servers

40.56K
0

Redirect authenticated user on anonymous pages in Symfony

32.24K
1

Have a fresh tip? Share with Coderwall community!

Post
Post a tip
Best #Security Authors
rmcdaniel
231K
#security
#JavaScript
#Open Source
w0ng
40.55K
#security
#VimL
#JavaScript
zdenekdrahos
32.24K
#security
#php
#Html::Css
jasny
27.55K
#security
#JavaScript
#C
nmalcolm
26.9K
#security
#PHP
#python
Related Tags
#security
#ssh
#os x
#capistrano
Sponsored by
#native_company#
#native_desc#
#native_cta#
Filed Under
Tools
Awesome Job
See All Jobs
Post a job for only $299
Thanks to our sponsor
Sponsored by #native_company# — Learn More
#native_title# #native_desc#
#native_cta#