OT launchd sleep and wake

Fri Aug 7 13:29:02 PDT 2009

I know this is horribly off topic, but I have a feeling there are just  
enough people on this list that know about ssh-agent that I may be  
able to get where I need to be.  I have a day in this, and it is now a  
war :)

Basic ssh key based login, with password
drwx------@  5 me  staff    170 Aug  6 23:21 .ssh

$ls -la ~/.ssh
-rw-------@ 1 me  staff  1743 Feb 12 01:09 id_rsa
-rw-r--r--@ 1 me  staff   401 Feb 12 01:09 id_rsa.pub
-rw-r--r--  1 me  staff  9890 Jul 29 18:49 known_hosts

ssh-agent not running:
$ps xa | grep ssh-agent | grep -v grep
	(empty result)

$ssh me at remote.example.com
ssh inspires a secure password dialogue box to pop up.

ssh-agent is now running:
$ps xa | grep ssh-agent | grep -v grep
   658   ??  S      0:00.04 /usr/bin/ssh-agent -l

Nothing in it yet:
$ssh-add -l
The agent has no identities.

I enter in the password, and tell it to "Remember Password in  
Keychain".  My keychains do not use the same password as the OS X  
login, which should not matter.

$ssh me at remote.example.com
I am no longer bothered with the secure password form.

I have an identity
$ssh-add -l
2048 xx:xx:xx:xx:xx:xx:xx...... /Users/me/.ssh/id_rsa (RSA)

Looking in KeyChain Access, I see the entry.  Lock it.  I still am  
allowed to ssh in with no secure password dialogue. This is because  
locking the keychain does not clear the identity out.

* I have moved the keychain entry to a new keychain called secure-ssh,  
set to lock on sleep.  It is locked.

I need to remove that identity, triggered by a sleep or wake event,  
for the sake of this issue, I just pretend the machine has hit a sleep  
or wake event, and I have the ability to trigger a script to do  
something on those events.  So my goal is to remove that identity.

# sleep event happens, and I run...
$ssh-add -d
Identity removed: /Users/me/.ssh/id_rsa (/Users/me/.ssh/id_rsa.pub)

# Machine wakes up...
$ssh me at remote.example.com
Boom, asked for the secure password entry to get into the remote host,  
it is in my keychain, I should have been asked to unlock the keychain,  
and the login to the remote host should have happened automatically.   
This would just add another keychain item to the login keychain if I  
chose to save it.

Try again, different method...
# sleep event happens, and I run...
$launchctl stop org.openbsd.ssh-agent
$ps xa | grep ssh-agent | grep -v grep
	(empty result)

That should do it, that stopped the agent, now, when I ssh in, it  
should start ssh-agent, try to add the identity, and see it needs to  
unlock the keychain I set up.

# I am now in a woken up sate, the secure-ssh keychain is locked, as I  
set it to lock on sleep.

$ssh me at remote.example.com
I am logged right in, no authentication was asked.

I could use ssh-add -d to remove the identities on sleep, and then ssh- 
add -k to add all the keychain identities on wake from sleep, but  
then, if I have no intention of using ssh at that time, I am going to  
be asked to unlock the keychain on every wake.

This blog is about the only thing that talks about this in any detail,  
but is a few years dated http://www.dribin.org/dave/blog/archives/2007/11/28/securing_ssh_agent/

My methods are identical to his, though mine do not work for some  
reason.
Stumped.

On Aug 7, 2009, at 12:25 PM, Kristofer Henriksson wrote:

> Off the top of my head, I can't speak as to detecting sleep/wake on  
> a Mac.
>
> For clearing SSH keys, I'm surprised that stopping ssh-agent fails.
> However, there is also the command ssh-add -D which is meant to remove
> all keys from the agent. This should be what you are looking for.

-- 
Scott * If you contact me off list replace talklists@ with scott@ *