Toying with the OS X ssh-agent
As a devops/sysadmin (whatever those titles mean to you), I rely on SSH pretty much all the time. Also I am very paranoiac regarding security and my various SSH keys, this led me to completely disable the ssh-agent a long time ago because I didn't want my password stored in the OS X keychain for an indefinite period of time (especially because I'm almost never rebooting my machine) in case something really bad happens like my machine getting stolen.
However, today I ran into a small issue regarding this setup when I wanted to deploy an application using capistrano (something I hadn't done since forever) from my machine which I don't usually do (I have a tool similar to capistrano but I push archives directly onto a set of servers without relying on an external SCM server) and realised that since my ssh-agent was disabled ssh forwarding was a no go.
First thing I did is upgrade my ssh-agent using homebrew and using the following article: http://www.dctrwatson.com/2013/07/how-to-update-openssh-on-mac-os-x/. Then I used this discussion thread: https://discussions.apple.com/thread/2135145 to find a way to set a timeout to my ssh-agent. At first, I thought it was a good idea to set the timeout to 10 seconds but somehow it's a bit short when deploying through capistrano so I finally settled it to 120 seconds so now my plist looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>org.openbsd.ssh-agent</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/bin/ssh-agent</string>
<string>-l</string>
<string>-t</string>
<string>120</string>
</array>
<key>ServiceIPC</key>
<true/>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>SecureSocketWithKey</key>
<string>SSH_AUTH_SOCK</string>
</dict>
</dict>
<key>EnableTransactions</key>
<true/>
</dict>
</plist>
For the moment it's satisfying enough even if I have to manually enter my key(s) in the agent every two minutes if I want to use them on a remote server allowing agent forwarding. Also, setting the right key(s) in the ssh options of capistrano is a big help for selecting which key(s) to use when deploying.
Peace.