SSHKeychain
I have done a lot of little things to make ssh access on Mac OS X nicer for me, and I've largely succeeded, using a combination of a login plugin called SSHAgentStartup, with some local patches, and some shell startup scripts, and a login AppleScript app, and an app that provides the ssh passphrases from the Keychain on request.
Recently, an app called SSHKeychain has promised to do all of what I do with these disparate tools: create an SSH agent, make it available to GUI apps, add keys to the agent on request, remove them when the Keychain is locked, add them when it is unlocked, store the key passphrases in the Keychain, etc. But not having the time to really look into it, and fearing change, I punted.
Basically, my main concern was that it didn't do things The Right Way, as I see it, which is to work with the real ssh-agent. I didn't know how it could reliably handle the environment if it didn't create the agent before login.
So having opportunity Wednesday, I looked, and saw the key: it creates a static agent path, and puts there a frontend to the agent (which is actually, a named pipe to the SSHKeychain program itself, just as a normal agent path is a pipe to the ssh-agent program; but this one is apparently processed as necessary by SSHKeychain, and then passed to the real ssh-agent).
This allows it to solve many problems. It can set up the environment, because the path to the frontend agent does not change, as it does not need to, as it is not dependent on the actual agent path. This frontend agent can also detect requests for keys, and add them. Very nifty.
It's also got a menu item or Dock item to easily add keys when necessary. For example, it won't automatically add keys if you have forwarded your agent to a host, then the keys have been removed from the agent, and you try to use that agent to connect to another host; but you can just click "Add all keys to agent" in the menu item, and they will be added using the passphrases in the Keychain, and you can continue on your merry way.
I am a bit concerned about security; what potential problems are there for having a frontend to the agent, especially one that is a running application?
Recently, an app called SSHKeychain has promised to do all of what I do with these disparate tools: create an SSH agent, make it available to GUI apps, add keys to the agent on request, remove them when the Keychain is locked, add them when it is unlocked, store the key passphrases in the Keychain, etc. But not having the time to really look into it, and fearing change, I punted.
Basically, my main concern was that it didn't do things The Right Way, as I see it, which is to work with the real ssh-agent. I didn't know how it could reliably handle the environment if it didn't create the agent before login.
So having opportunity Wednesday, I looked, and saw the key: it creates a static agent path, and puts there a frontend to the agent (which is actually, a named pipe to the SSHKeychain program itself, just as a normal agent path is a pipe to the ssh-agent program; but this one is apparently processed as necessary by SSHKeychain, and then passed to the real ssh-agent).
This allows it to solve many problems. It can set up the environment, because the path to the frontend agent does not change, as it does not need to, as it is not dependent on the actual agent path. This frontend agent can also detect requests for keys, and add them. Very nifty.
It's also got a menu item or Dock item to easily add keys when necessary. For example, it won't automatically add keys if you have forwarded your agent to a host, then the keys have been removed from the agent, and you try to use that agent to connect to another host; but you can just click "Add all keys to agent" in the menu item, and they will be added using the passphrases in the Keychain, and you can continue on your merry way.
I am a bit concerned about security; what potential problems are there for having a frontend to the agent, especially one that is a running application?
Leave a comment