Awesome

mac-ssh-confirm

Overview

One way to help protect against SSH Agent Hijacking is by confirming each use of the of the decrypted identities managed by ssh-agent.

These tools allow confirmation while (still) meeting the following objectives:

• Password protected SSH identities
• SSH identity passwords stored in Mac OS X Keychain
  • Passwords do not need to be entered again and again.
• Absolute minimum install:
  • Do not overwrite or replace executables
  • Do not require compiling or Xcode

This is a useful hack. More useful would be development by Apple to support SSH Agent confirmations.

Additional helper utilities:

• cmc: ControlMaster Controller - Eases management of SSH ControlMaster connections.
• solo-agent: Enable discrete SSH Agents to avoid leaking access across hosts

Installation

1. macOS no longer comes with X11. Unless you have an old release, XQuartz is required (#1).
2. Symlink ssh-askpass.sh to /usr/libexec/ssh-askpass. (The install.sh script does this.)
3. It may be convenient to put ssh_add_confirm_ids.sh in your PATH.

Use

1. Add identities to your Mac OS X Keychain via ssh-add -K
2. Prior to connecting to any hosts, execute ssh_add_confirm_ids.sh
   • In the interest of security, do not Always Allow security access to your keychain
3. Repeat the step above each time you log into your Mac

To clear existing identities in the agent and load configured identies to require confirmation:

• ssh-add -D; ssh_add_confirm_ids.sh

To clear existing identities in the agent and load identities saved in your keychain without the need to confirm access:

• ssh-add -D; ssh-add -k

Inspiration

• And now Chicken of the VNC tunneled through SSH on OS X (includes macos-askpass, a SSH_ASKPASS command for Mac OS X)
• Making OpenSSH on Mac OS X More Secure
• Get Current Application with AppleScript

License

• LICENSE (Expat/MIT License)