One way to help protect against SSH Agent Hijacking is by confirming each
use of the of the decrypted identities managed by ssh-agent.
These tools allow confirmation while (still) meeting the following objectives:
- Password protected SSH identities
- SSH identity passwords stored in Mac OS X Keychain
- Passwords do not need to be entered again and again.
- Absolute minimum install: - Do not overwrite or replace executables - Do not require compiling or Xcode
Additionally, configuring SSH to use ControlMaster connections, will
keep things unobtrusive (see ControlMaster Controller for a useful utility
that eases management of SSH ControlMaster connections).
This is a useful hack. More useful would be development by Apple to support SSH Agent confirmations.
- OS X no longer comes with X11. Unless you have an old release, XQuartz is required (#1).
- Run
make installto install two scripts on your system:/usr/libexec/ssh-askpassand/usr/libexec/ssh-add-confirm - Add identities to your Mac OS X Keychain via
ssh-add -K
- Prior to connecting to any hosts, execute
ssh-add-confirm- In the interest of security, do not Always Allow security access to your keychain
- Repeat the step above each time you log into your Mac
To clear existing identities in the agent and load configured identies to require confirmation:
ssh-add -D; ssh-add-confirm
To clear existing identities in the agent and load identities saved in your keychain without the need to confirm access:
ssh-add -D; ssh-add -k
- Original version of these scripts by TimZehta.
- And now Chicken of the VNC tunneled through SSH on OS X (includes
macos-askpass, a SSH_ASKPASS command for Mac OS X) - Making OpenSSH on Mac OS X More Secure
- Get Current Application with AppleScript