Stupid Mac::Glue/SSH Tricks

| | Comments (0)
You may have read in my journal about how I have my ssh-agent set up on Mac OS X; briefly, I use a login plugin called SSHAgentStartup which creates an ssh-agent before logging in, and sets up the environment in ~/.MacOSX/environment.plist, so it is global to all my apps. I have it also create a ~/.bash_ssh_env file that I can source from my bash init files.

Then I have a startup script that calls ssh-add without a terminal attached (ssh-add </dev/null works, though in this case it is a startup AppleScript that just does do shell script "/usr/bin/ssh-add" in a try/end try block), with SSH_ASKPASS set to the path of an app called SSHPassKey, which retrieves my ssh passphrase from the Keychain. Since the Keychain is unlocked upon logging in, and the ssh-agent is run and its environment vars are set before this script is run, this automatically adds my keys to the ssh-agent without any extra user interaction.

So I just log in, and this is all set up for me: a global ssh-agent for all my GUI apps and shells, with my keys added to the agent and ready to go.

The only problem I have with this setup is that I like to have my Keychain lock automatically after inactivity or sleep, for security's sake; but this does not also disable the ssh-agent. So there's a little security issue there that I wanted to address.

So, this ssh-lock script was born. It checks to see if the Keychain named for the current user is locked, and if so, it removes my identities from the ssh-agent. Mmmm, security!

[ Keychain Scripting is a little Faceless Background App; it will launch, but it won't show up in the Dock, and it will stay open. The glue for this app is created automatically when you install Mac::Glue, along with several other FBAs that reside in the /System/Library/ScriptingAdditions folder (such as URL Access Scripting, which is pretty much useless from Perl, since we have LWP). ]

#!/usr/local/bin/perl
use warnings;
use strict;
 
use Mac::Glue;
 
my $ssh_add = '/usr/bin/ssh-add';
 
my $kc = new Mac::Glue 'Keychain_Scripting';
my $locked = $kc->prop(locked => keychain => scalar getpwuid($<));
 
if ($ENV{SSH_AGENT_PID} && kill 0, $ENV{SSH_AGENT_PID}) {
    system($ssh_add, '-d') if $locked->get;
}

I call this from crontab (note that it sets up the ssh-agent vars first):

*/5   * * * * source /Users/pudge/.bash_ssh_env; /Users/pudge/bin/ssh-lock

And I also wrote a little front-end to ssh, that checks to see if my ssh-agent has my identities in it, and if not, adds them automatically, just like the startup script does, with no user interaction, unless the Keychain is locked, in which case SSHPassKey will prompt me for the Keychain password. Then, it just goes ahead and calls ssh.

#!/usr/local/bin/perl
use warnings;
use strict;
 
my $ssh = '/usr/bin/ssh';
my $ssh_add = '/usr/bin/ssh-add';
 
if ($ENV{SSH_AGENT_PID} && kill 0, $ENV{SSH_AGENT_PID}) {
        if (`$ssh_add -l` =~ /no identities/) {
                `$ssh_add </dev/null`;
        }
}
 
system($ssh, @ARGV);

Mmmmm, glue. use.perl.org

Leave a comment

<pudge/*> (pronounced "PudgeGlob") is thousands of posts over many years by Pudge.

"It is the common fate of the indolent to see their rights become a prey to the active. The condition upon which God hath given liberty to man is eternal vigilance; which condition if he break, servitude is at once the consequence of his crime and the punishment of his guilt."

About this Entry

This page contains a single entry by pudge published on November 20, 2003 1:11 AM.

Stupid Mac::Glue Tricks was the previous entry in this site.

Mac::Carbon Released is the next entry in this site.

Find recent content on the main index or look in the archives to find all content.