Last Updated: February 25, 2016
· Keeguon

Toying with the OS X ssh-agent

As a devops/sysadmin (whatever those titles mean to you), I rely on SSH pretty much all the time. Also I am very paranoiac regarding security and my various SSH keys, this led me to completely disable the ssh-agent a long time ago because I didn't want my password stored in the OS X keychain for an indefinite period of time (especially because I'm almost never rebooting my machine) in case something really bad happens like my machine getting stolen.

However, today I ran into a small issue regarding this setup when I wanted to deploy an application using capistrano (something I hadn't done since forever) from my machine which I don't usually do (I have a tool similar to capistrano but I push archives directly onto a set of servers without relying on an external SCM server) and realised that since my ssh-agent was disabled ssh forwarding was a no go.

First thing I did is upgrade my ssh-agent using homebrew and using the following article: http://www.dctrwatson.com/2013/07/how-to-update-openssh-on-mac-os-x/. Then I used this discussion thread: https://discussions.apple.com/thread/2135145 to find a way to set a timeout to my ssh-agent. At first, I thought it was a good idea to set the timeout to 10 seconds but somehow it's a bit short when deploying through capistrano so I finally settled it to 120 seconds so now my plist looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">

For the moment it's satisfying enough even if I have to manually enter my key(s) in the agent every two minutes if I want to use them on a remote server allowing agent forwarding. Also, setting the right key(s) in the ssh options of capistrano is a big help for selecting which key(s) to use when deploying.


Say Thanks