SSH ONLY – Passphrase Asked Again & SSH-AGENT Duplicated

[faxotherapy]

Either in tmux or not. Keychain is a great tool, but so much temperamental! I tried any possible --inherit option. Keychain either splits another ssh-agent or asks me again my passphrase—sometimes, after some time—either in the same tab or in a new tab I open in my (MacOS) Terminal window.

These issues happen erratically and can't be reproduced quickly, but it will happen for sure after some time of use.

I also have a tab running tmux and another normal tab. Above issues happens for both tabs.

Very strange also: in order to force Keychain retrieve my cached passphrase, I have to type it again the following command before SSHing:

eval `keychain --inherit any --agents ssh --eval id_ed25519-P`

Only then I can SSH without supplying my passphrase again. It's the only workaround I found in order not to provide my password occasionally. I even created an alias for this command, which I now decided to execute it every time before SSHing. How convenient it is!

Notes:

• The first agent opened by Keychain is /usr/bin/ssh-agent -l—OK! I'm happy. Fine!
• Then, later on, a new one is created: just ssh-agent (with another PID obviously)—Not happy! Why so if there's already one at hand opened by Keychain itself! Very annoying, indeed, indeed, indeed.

Also, I set in my PATH /usr/local/bin before /usr/bin so that /usr/local/bin/ssh-agent is retrieved first instead of the other one provided by default on MacOS. But, in the end, Keychain duplicates ssh-agent by retrieving the original version provided with MacOS, i.e., /usr/bin/ssh-agent.

Keychain is so great, but at the same time quite irritating!

Finally, I'd be very grateful if someone could explain clearer for me the following options:

       --inherit which
           Attempt to inherit agent variables from the environment.  This can
           be useful in a variety of circumstances, for example when ssh-agent
           is started by gdm.  The following values are valid for "which":

           local       Inherit when a pid (e.g. SSH_AGENT_PID) is set in the
                       environment.  This disallows inheriting a forwarded
                       agent.

           any         Inherit when a sock (e.g. SSH_AUTH_SOCK) is set in the
                       environment.  This allows inheriting a forwarded agent.

           local-once  Same as "local", but only inherit if keychain isn't
                       already providing an agent.

           any-once    Same as "any", but only inherit if keychain isn't
                       already providing an agent.

Why option SSH_AUTH_SOCK added? I don't see the purpose other than using the PID.

Thanks for your help.

[faxotherapy]

MacOS Only

Tested on OS X El Capitan 👍

I found a solution, based on Joel Knight's article: SSH Agent on OS X

As mentioned in this article, I'm myself interested in the following:

1. One unique ssh-agent is available on all Terminal windows, tabs and in tmux too.
2. Only use of OpenSSH brought from Homebrew.
3. None of my keys held in Keychain app.

If SSH only and following this guide, Mac users may no longer find the need to use keychain again. 😢

Steps

1. Create org.homebrew.ssh-agent.plist in ~/Library/LaunchAgents/ directory:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
   <dict>
      <key>Label</key>
      <string>org.homebrew.ssh-agent</string>
      <key>ProgramArguments</key>
      <array>
         <string>/usr/local/bin/ssh-agent</string>
         <string>-D</string>
         <string>-a</string>
         <string>/Users/…/.ssh/ssh-agent.sock</string>
      </array>
      <key>Sockets</key>
      <dict>
         <key>Listeners</key>
         <dict>
            <key>SockPathName</key>
            <string>/Users/…/.ssh/ssh-agent.sock</string>
            <key>SockPathMode</key>
            <integer>384</integer>
            <key>SockPathGroup</key>
            <integer>0</integer>
         </dict>
      </dict>
      <key>EnableTransactions</key>
      <true />
   </dict>
</plist>

2. If necessary, get rid off the stock version:

   $ sudo launchctl stop org.openbsd.ssh-agent
   $ sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist

3. Edit your shell's rc file—mine is ~/.zshrc—as follows:

   alias loadkey='if [[ -z `pgrep ssh-agent` ]]; \
                     then launchctl  load ~/Library/LaunchAgents/org.homebrew.ssh-agent.plist && rm -f ~/.ssh/ssh-agent.sock && \
                          launchctl start org.homebrew.ssh-agent && sleep 0.5; ssh-add ~/.ssh/id_ed25519; else ssh-add ~/.ssh/id_ed25519; fi'
   alias losekey='ssh-add -D'
   
   export SSH_AUTH_SOCK="/Users/…/.ssh/ssh-agent.sock"

   loadkey to load the key in ssh-agent and losekey to clear it from ssh-agent.

Notes:

1. ssh-add -l to list identities.

2. export SSH_AUTH_SOCK="/Users/…/.ssh/ssh-agent.sock" could, instead, be put in your shell's profile.

3. To list information about the service:

   $ launchctl list org.homebrew.ssh-agent
   {
   "EnableTransactions" = true;
   "Sockets" = {
       "Listeners" = (
           file-descriptor-object;
       );
   };
   "LimitLoadToSessionType" = "Aqua";
   "Label" = "org.homebrew.ssh-agent";
   "TimeOut" = 30;
   "OnDemand" = true;
   "LastExitStatus" = 0;
   "PID" = 54180;
   "Program" = "/usr/local/bin/ssh-agent";
   "ProgramArguments" = (
       "/usr/local/bin/ssh-agent";
       "-D";
       "-a";
       "/Users/…/.ssh/ssh-agent.sock";
   );
   };

---

Interesting reading:

1. Sharing the Same ssh-agent Among Multiple login Sessions
2. Using Homebrew's OpenSSH on OS X with Zshell
3. An Illustrated Guide to SSH Agent Forwarding
4. ssh-agent on Mac OS X 10.5 (Leopard)

[mrl5]

hello @faxotherapy - if you'd like to report a bug kindly use https://bugs.funtoo.org/

you can also reach us on Discord - for more info check https://www.funtoo.org/Welcome