If you recently switched from an older (pre 10.6) version of OS X to the latest baby, and have the old habit of using ssh to connect around, you may have noticed a singular behaviour: while the older versions always asked you for a passphrase (you have a passphrase set on your private key, right?) the new OS 10.6.x does it just the first time you use it.
Now, no doubt it is handy and user-friendly and automagical and… but I feel it disturbing: if by chance I hand over the laptop to somebody for a quick glance at a web page, for example, she can use it to connect anywhere without my consent — ok, I’m oversimplifying, but you get the idea.
The mistery lies into our old friend ssh-agent: it is spawn using
/System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
[on a single line for yout copying pleasure] as a configuration file and it will cache your passphrase the first time you use ssh.
Up to here it’s fine.
What is troublesome to me is that the default cache time is unlimited (see the man page, this is the default behaviour when it is launched without specifying a “-t” option) therefore it will never forget the passphrase until I logout — being the only user of my laptop, this does not happen often.
Enter the joy of xml configuration files: edit the org.openbsd.ssh-agent.plist
, and add the option to your liking, that is change this
<array>
<string>/usr/bin/ssh-agent</string>
<string>-l</string>
</array>
to something like this
<array>
<string>/usr/bin/ssh-agent</string>
<string>-l</string>
<string>-t</string>
<string>120</string>
</array>
if a couple of minutes of “grace period” suit your usage.
Then, just kill the process — it will spawn again the next time you use ssh.
[By the way:
Dear Internet, posting code like the XML up here sucks big time.
It took me more time to format the two snippets to render correctly then writing the whole post.
What do you use to ease this pain?
thank you.]