Mac OS X Leopard - Built-in SSH agent
October 28th, 2007
Leopard now comes with a built-in SSH agent. The really nice thing about it is that it integrates with your user’s Keychain. So, the first time you try to unlock your SSH key a dialog will appear asking you for its password along with an option to save that password in your Keychain.
On Tiger I was using SSHKeychain to achieve this, but it had a nasty bug where it would randomly start to consume 100% of a CPU. This chewed through my Macbook Pro’s battery, which was a pain. If you’ve been using a third party SSH agent and want to switch to the built-in agent, make sure to check that you’re not manually setting the SSH_AUTH_SOCK environment variable, which is something I had to do to get SSHKeychain working.
If launch-services is managing your SSH agent, it should look something like:
kenshin:~ scottr$ echo $SSH_AUTH_SOCK
/tmp/launch-fTiPvL/Listeners
Otherwise, check your various profile settings, and check to make sure your third party agent isn’t set as a launch item. You’ll have to log out for this to take effect. Once launch-services is managing your SSH_AUTH_SOCK, logging into OS X will unlock your keychain and allow the ssh-agent to unlock your SSH keys without having to enter another password.
Entry Filed under: General
3 Comments Add your own
1. Alan | November 23rd, 2007 at 1:20 pm
If you aren’t getting the above mentioned prompt when trying to ssh into a server, it might be that your ssh-agent is not being managed by Leopard. See this website:
http://discussions.apple.com/thread.jspa?messageID=5727320
It fixed my issue.
2. Luke Redpath | March 5th, 2008 at 8:36 am
Here’s another gotcha for people who can’t get this working.
I was struggling to work out why I could not get this working with a new MacBook (which never had SSHKeychain installed).
The reason: I use MacPorts and had ended up installing OpenSSH via MacPorts (it was a dependency of some other lib). This resulted in a standard, non-keychain support build of ssh in /opt/local/bin, which happened to be listed in my $PATH first. Only when I ran “which ssh” did I realize what had happened.
3. John Clements | February 4th, 2009 at 8:07 am
Finally! I’m very grateful for this note. One additional hint for others like me: I had to poke around for quite a while before I discovered where it was that SSH_AUTH_SOCK was getting set. For me, it was in the environment.plist file that lives in ~/.MacOSX. I get the feeling that this may be a relic from older versions of OS X, and that nowadays this would probably be in the Library folder.
Thanks again!
Leave a Comment
Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Subscribe to the comments via RSS Feed