One way to help protect against SSH Agent Hijacking is by
confirming each use of the of the decrypted identities managed by ssh-agent.
These tools allow confirmation while (still) meeting the following objectives:
- Password protected SSH identities
- SSH identity passwords stored in Mac OS X Keychain
- Passwords do not need to be entered again and again.
- Absolute minimum install:
- Do not overwrite or replace executables
- Do not require compiling or Xcode
This is a useful hack. More useful would be development by Apple to support SSH Agent confirmations.
Additional helper utilities:
- cmc: ControlMaster Controller - Eases management of SSH ControlMaster connections.
- solo-agent: Enable discrete SSH Agents to avoid leaking access across hosts
- macOS no longer comes with X11. Unless you have an old release, XQuartz is required (#1).
- Symlink
ssh-askpass.shto/usr/libexec/ssh-askpass. (Theinstall.shscript does this.) - It may be convenient to put
ssh_add_confirm_ids.shin your PATH.
- Add identities to your Mac OS X Keychain via
ssh-add -K - Prior to connecting to any hosts, execute
ssh_add_confirm_ids.sh- In the interest of security, do not Always Allow security access to your keychain
- Repeat the step above each time you log into your Mac
To clear existing identities in the agent and load configured identies to require confirmation:
ssh-add -D; ssh_add_confirm_ids.sh
To clear existing identities in the agent and load identities saved in your keychain without the need to confirm access:
ssh-add -D; ssh-add -k
- And now Chicken of the VNC tunneled through SSH on OS X (includes
macos-askpass, a SSH_ASKPASS command for Mac OS X) - Making OpenSSH on Mac OS X More Secure
- Get Current Application with AppleScript