Snow Leopard, ssh-agent and an everlasting memory

If you recently switched from an older (pre 10.6) version of OS X to the latest baby, and have the old habit of using ssh to connect around, you may have noticed a singular behaviour: while the older versions always asked you for a passphrase (you have a passphrase set on your private key, right?) the new OS 10.6.x does it just the first time you use it.

Now, no doubt it is handy and user-friendly and automagical and… but I feel it disturbing: if by chance I hand over the laptop to somebody for a quick glance at a web page, for example, she can use it to connect anywhere without my consent — ok, I’m oversimplifying, but you get the idea.

The mistery lies into our old friend ssh-agent: it is spawn using
/System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
[on a single line for yout copying pleasure] as a configuration file and it will cache your passphrase the first time you use ssh.
Up to here it’s fine.

What is troublesome to me is that the default cache time is unlimited (see the man page, this is the default behaviour when it is launched without specifying a “-t” option) therefore it will never forget the passphrase until I logout — being the only user of my laptop, this does not happen often.

Enter the joy of xml configuration files: edit the org.openbsd.ssh-agent.plist, and add the option to your liking, that is change this

<array>
<string>/usr/bin/ssh-agent</string>
<string>-l</string>
</array>

to something like this

<array>
<string>/usr/bin/ssh-agent</string>
<string>-l</string>
<string>-t</string>
<string>120</string>
</array>

if a couple of minutes of “grace period” suit your usage.
Then, just kill the process — it will spawn again the next time you use ssh.

[By the way:
Dear Internet, posting code like the XML up here sucks big time.
It took me more time to format the two snippets to render correctly then writing the whole post.
What do you use to ease this pain?
thank you.]

Author: zen

Geek of all trades, having fun with *NIX, the Internet and computer security since 1995.

5 thoughts on “Snow Leopard, ssh-agent and an everlasting memory”

  1. Hi

    I tried this and does not work.

    This is my array in the plist file


    <array>
    <string>/usr/bin/ssh-agent</string>
    <string>-l</string>
    <string>-t</string>
    <string>120</string>
    </array>

    But after killing the ssh-agent it is always restarted just with the “-l” argument as you can see here

    venus:~ ramiro$ ps aux | grep ssh
    ramiro 15670 0,0 0,0 2425708 284 s000 R 2:12PM 0:00.00 grep ssh
    ramiro 15651 0,0 0,1 2458440 2504 ?? S 2:10PM 0:00.03 /usr/bin/ssh-agent -l

    Does anybody succeed whit this tip?

    By the way, I updated from Leopard (no clean install of Snow Leopard)

    Thanks.

  2. hi ramiro,
    did you logout / login?
    I didn’t check in detail, but I strongly suspect launchd has its own cached view of the .plists on the filesystem.
    Logging out of your user is maybe the fastest way to get rid of this cache (there probably are more elegant ways to do so).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.