3

I'm confused by the difference in behavior of ssh clients I'm seeing on two different hosts. Just to be clear, this is the scenario:

  1. "macbox" OS X using OpenSSH_5.2p1 ssh client
  2. "sunbox" Solaris 10 OpenSSH_3.9p1 ssh client
  3. "linuxbox" Ubuntu running OpenSSH_5.8p1 sshd server

All three hosts have a user by the same name. I wanted to set up things so that macbox and sunbox could ssh in to linuxbox using just ssh keys, no passwords. On linuxbox, I set up sshd_config to allow this:

HostbasedAuthentication yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

Notice the comment. I took the advice and didn't change the setting about empty passwords. I understood that to mean that linuxbox won't allow host based authentication with public keys which don't have a password set for that key.

Then, on macbox and on sunbox, I did this: 

ssh-keygen -v -t dsa

And on both of them, when prompted by ssh-keygen, I supplied a password for the key pair it was generating. Next, I copied the contents of the "id_dsa.pub" (from both macbox and sunbox) to the ~/.ssh/authorized_keys file on linuxbox.

From macbox, using the built-in Terminal.app program, I tried ssh-ing to linuxbox. Suddenly, I was looking at GUI password prompt, launched by Terminal, but not in the terminal, and it wanted the password for the key pair I'd generated. I entered the password which I'd given to the ssh-keygen program when I generated those keys. I did NOT check the box offering to remember the password in my Mac's Keychain.app program. I clicked OK and got in to a shell on linux box.

Next, I typed "exit", then ssh-ed back in to linuxbox a second time, but this time Terminal.app did not ask for a password. I repeated this several times.

Then I went to the sunbox, tried an ssh to linuxbox. Sunbox asked for the public key password via the shell (since I don't use a GUI/X11 environment there). I supplied the password, and got in to the shell on linuxbox. Then I typed "exit", then tried to ssh back in to linuxbox and was again asked for the password. Unlike the ssh client on macbox, sunbox's ssh client asks me for the password every time I ssh to linuxbox.

Is this some kind of undocumented Mac OS X user friendliness thing? Or is it a setting in ssh_config? The macbox has everything commented out in ssh_config. The sunbox ssh_config has a few lines uncommented:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
PreferredAuthentications gssapi-with-mic,publickey,password,keyboard-interactive

I've read the manpage on ssh_config, but I don't see how these settings could account for the difference in ssh client behaviors. I even went into the user Keychain.app file on the macbox and searched for a saved password for the keypair, and there is none saved there.

Can anyone explain why I have to type a key password on sunbox every time I ssh to linuxbox, but never (again) had to type a key password after the first time I ssh-ed to linuxbox from macbox?

Luke Sheppard
  • 2,217
  • 3
  • 15
  • 21
  • I found that the only way to cause OS X to once again ask for the key password was to reboot the macbox. However, later I discovered that what is happening is that whenever you call /usr/bin/ssh, the OS uses launchd to spawn an instance of /usr/bin/ssh-agent and sets your shell to have an environment variable called $SSH_AUTH_SOCK, which is, according to the manpage for ssh-agent, a normal part of using an ssh-agent. I just had never used ssh agents and never intended to. Is this a Mac-only thing? – Luke Sheppard Oct 20 '12 at 03:31
  • When you wrote this, it _was_ a nice feature to see in OS X, which wasn't really common in Linux desktop environments of that time. This allowed you to pick a good passphrase for your SSH private keys (mitigating the concerns if somebody got hold of your private key). There are almost no downsides to using a randomly-generated password for an SSH private key in that case, if the OS X system keychain can remember it for you, and load it into the agent on startup after the "login" keyring is unlocked with your regular user password. – TheDudeAbides Aug 11 '22 at 20:14
  • Well, the major downside being if you use a lousy login password. – TheDudeAbides Aug 11 '22 at 20:15

1 Answers1

1

Answered: It turns out that, yes, this is a feature unique to OS X. See this excellent article about when this feature was introduced to OS X Leopard

Luke Sheppard
  • 2,217
  • 3
  • 15
  • 21
  • 4
    I wouldn't say it's mac only, I've setup many Linux systems to do similar at my choice. And I'm doing the equivalent on windows with pageant too. I also remember there were a couple of ubuntu releases that did something similar to setup ssh-agent automatically. Usually in these cases it's on login not first use of ssh, but the principle is the same. – ewanm89 Oct 20 '12 at 12:01