1

I have a ssh RSA key in a client OSX 10.9.4. The SSH server is ubuntu. Everything works OK, but the problem is that my OSX ssh-agent seems to be caching the passphrases. The first time I ssh, it is asked. Next time, it is not, and I directly log in the server.

I am worried about security here. If someone steals my machine would have access to the server without entering any password...yeah, I still have my OSX user, but still.

So do you know when OSX ssh-agent asks again?

It seems I have the same question as: http://www.dribin.org/dave/blog/archives/2007/11/28/securing_ssh_agent/

But I don't know how that applies to OSX 10.9.4

Thanks in advance,

Mariano Martinez Peck
  • 247
  • 4
  • 11

1 Answers1

1

You can set a key's lifetime when you add it with ssh-add(1):

-t life
         Set a maximum lifetime when adding identities to an agent.  The
         lifetime may be specified in seconds or in a time format speci‐
         fied in sshd_config(5).

e.g. 

ssh-add   -t 3600  ~/.ssh/id_rsa

will make the agent forget this key after 1h.

If your keys get auto-loaded, you can either try to find where that happens (.bashrc, .bash_profile, /etc/profile, ...) and change the ssh-add parameters there; Or remove the keys from the agent (ssh-add -D) and re-add with a lifetime as above.

Alternatively, if you want your agent to always forget keys after say 1h, you could alter the service definition as described e.g. here. But that seems to not work for everyone.

[I assume here that your OSX is also using OpenSSH for SSH client and agent, just like that old OSX 10.6.8 i have access to. If your OSX is using something else by now, then this answer might not apply]

Nils Toedtmann
  • 3,342
  • 5
  • 26
  • 36
  • Thanks. This was helpful. I ended doing the first step from [http://tim.vanwerkhoven.org/post/2011/11/17/OSX-launchd-and-launchctl-issues] thank you very much – Mariano Martinez Peck Sep 11 '14 at 02:46