Leopard finally supporting ssh-agent at login
In previous iterations of the feline OS we had to rely on SSHKeyChain in order to get a working ssh-agent setup that was global to all applications and not only for the current bash instance.
With Leopard the environment variable $SSH_AUTH_SOCK is set automatically, and the ssh-agent is managed by launchd (I think). SSHKeyChain may still prove useful for setting up tunnels, but I see no point in waiting for yet another application to start at login.
If you have been using SSHKeyChain you must remember to go into it's Preferences and Uncheck the "Manage (and modify) global environment variables" ticker, otherwise SSHKeyChain will override the OS settings – even if it's not running.

The actual adding of ssh keys is a bit non-intuitive for people used to doing ssh-add. Just using ssh-add <keyfile>Â will only add the keyfile to the current session. If you want to never type your passphrase again, but let ssh-agent get your passphrase from Keychain every time you try to use the ssh key/identoty file you need to have a few things in place:
* Your <identity>.pub must be present in the remote accounts $HOME/.ssh/authorized_keys file
* You may use this syntax from the command line to add the key: ssh -i <identity file> user@host . I guess you may do this from the Keychain Access application in some way too, but I was not able to find out how. There must be a slicker way.
So, I used this command in my terminal to add my "lolcats" private key/identity to my Keychain:
ssh -i lolcats lolcat@hostname.tld
And up came this dialog window, voilá:

You can specify a default identity file to use in your .ssh/config.
I think something like:
IdentityFile ~/.ssh/
Ought to do it.
There’s more info in man ssh_config
Thanks for the useful info!
Matt
Actually, if you have your private key in ~/.ssh/id_rsa (and probably identity or id_dsa, but I’ve only tried this with id_rsa) then you can just type:
ssh servername
If you have a passphrase on your private key, that dialog pops and you can save the passphrase in your keychain. You don’t need to have an ~/.ssh/authorized_keys nor do you need to specify the -i option every time you use ssh.
The man pages for ssh-add and ssh-agent haven’t been updated, but if you type:
ssh-add –help
you’ll notice some new options, like -k “Add all identities stored in your keychain.”
This is such a nice new feature of Leopard. Thanks for the info on this!
-Chris
Actually, the man pages have been updated, but a bug in the Leopard installer prevents the old ones from being deleted when you upgrade, and you see those instead. I’m surprised this hasn’t been addressed in Software Updates, as it seems like a serious bug to me, but you can fix it with a ruby script posted at macosxhints.com:
http://forums.macosxhints.com/showthread.php?t=80171&page=3
Naturally, you should back up your man directory, first.
Back to topic, I can understand starting ssh-agent when I log in, but why on earth would I want to store my passphrase in the keychain? If someone cracked my login, they would get instant access to any host I connect to with public key authentication, using the known_hosts file as a roadmap. This sounds like a bad practice to me.
The known_hosts file isn’t the hole it might seem to be as it contains hashes of the hosts you connect to rather than their names. If you have old entries these can be updated:
ssh-keygen -H
Here’s a gotcha for people who can’t get this working.
I was struggling to work out why I could not get this working with a new MacBook (which never had SSHKeychain installed).
The reason: I use MacPorts and had ended up installing OpenSSH via MacPorts (it was a dependency of some other lib). This resulted in a standard, non-keychain support build of ssh in /opt/local/bin, which happened to be listed in my $PATH first. Only when I ran “which ssh” did I realize what had happened.
i am missing the first part?
is there a “new & standard” way for keypair generation, now that the agent is included in leopard?
Big thanks for this post.
I recently migrated my entire account/home directory to a new computer and can’t get the password to be stored any longer
Quoting from above: “Your .pub must be present in the remote accounts $HOME/.ssh/authorized_keys file”
I don’t see this file. My .ssh directory only contains the following:
laptop~/.ssh>ls
id_rsa id_rsa.pub known_hosts
When I type the equivalent of the above command:
ssh -i lolcats lolcat@hostname.tld
for my server, the dialogue box doesn’t pop up, and I’m forced to type in the password each time I use ssh.
Everything worked fine on my old macbook.
Help would be greatly appreciated!