OpenSSH Keychain Support Issues (OS X Mavericks)

[theckman]

Hello,

I normally install the homebrew version of OpenSSH to use instead of the system version. For 10.8 and newer, it was to get features that I wanted to use in addition to being able to brew openssl and leverage improvements made there. Now that system OpenSSH is 6.2p2, I really only am looking to benefit from enhancements in OpenSSL.

After having upgraded to Mavericks I followed these steps:

• Install XCode 5.0.1
• Run: brew update
• Run: brew upgrade
• Uninstalled OpenSSL and OpenSSH from brew
• Installed OpenSSL using brew and linked it
• Installed OpenSSH with the following flags --with-brewed-openssl and --with-keychain-support
• Modified /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist to look like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>org.openbsd.ssh-agent</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/bin/ssh-agent</string>
        <string>-l</string>
        <string>-t 1800</string>
    </array>
    <key>ServiceIPC</key>
    <true/>
    <key>Sockets</key>
    <dict>
        <key>Listeners</key>
        <dict>
            <key>SecureSocketWithKey</key>
            <string>SSH_AUTH_SOCK</string>
        </dict>
    </dict>
        <key>EnableTransactions</key>
        <true/>
</dict>
</plist>

I followed the instructions as mentioned here, including the twiddling of launchctl and rebooting the system:

• http://www.dctrwatson.com/2013/07/how-to-update-openssh-on-mac-os-x/

Afterwards, I get the following message if I enter my SSH key passphrase correctly when trying to connect:

Saving password to keychain failed
Identity added: /Users/theckman/.ssh/id_rsa (/Users/theckman/.ssh/id_rsa)

At this point, ssh-add -l looks correct and it works. However, if I type the passphrase incorrectly I no longer get a OS X UI passphrase prompt, but instead it asks for it in the terminal:

Saving password to keychain failed
Enter passphrase for key '/Users/theckman/.ssh/id_rsa':

Any ideas on what the cause may be?

[cactus]

I am also having an issue. In my case I tried generating an ecdsa key, but ssh-add doesn't appear to support the -K option, even though the help output claims it does.

$ ssh-add -K .ssh/id_ecdsa
ssh-add: illegal option -- K
usage: ssh-add [options] [file ...]
Options:
  -l          List fingerprints of all identities.
  -L          List public key parameters of all identities.
  -k          Load only keys and not certificates.
  -c          Require confirmation to sign using identities
  -t life     Set lifetime (in seconds) when adding identities.
  -a          Add all identities stored in your keychain.
  -K          Store passphrases in your keychain.
              With -d, remove passphrases from your keychain.
  -d          Delete identity.
  -D          Delete all identities.
  -x          Lock agent.
  -X          Unlock agent.
  -s pkcs11   Add keys from PKCS#11 provider.
  -e pkcs11   Remove keys provided by PKCS#11 provider.

[cactus]

I am also having an issue. In my case I tried generating an ecdsa key, but ssh-add doesn't appear to support the -K option, even though the help output claims it does.

$ ssh-add -K .ssh/id_ecdsa
ssh-add: illegal option -- K
usage: ssh-add [options] [file ...]
Options:
  -l          List fingerprints of all identities.
  -L          List public key parameters of all identities.
  -k          Load only keys and not certificates.
  -c          Require confirmation to sign using identities
  -t life     Set lifetime (in seconds) when adding identities.
  -a          Add all identities stored in your keychain.
  -K          Store passphrases in your keychain.
              With -d, remove passphrases from your keychain.
  -d          Delete identity.
  -D          Delete all identities.
  -x          Lock agent.
  -X          Unlock agent.
  -s pkcs11   Add keys from PKCS#11 provider.
  -e pkcs11   Remove keys provided by PKCS#11 provider.

[theckman]

Good catch on -K not working, I didn't even think to look at that.

-Tim

[theckman]

Good catch on -K not working, I didn't even think to look at that.

-Tim

[cactus]

my guess is the keychain patch needs to be recreated against the new new ssh version (p2) and Apple's patches.

[cactus]

my guess is the keychain patch needs to be recreated against the new new ssh version (p2) and Apple's patches.

[cactus]

likely related issue: #237

[cactus]

likely related issue: #237

[adamv]

MacPorts carries a beefy patch https://trac.macports.org/browser/trunk/dports/net/openssh/files/0002-Apple-keychain-integration-other-changes.patch

[adamv]

MacPorts carries a beefy patch https://trac.macports.org/browser/trunk/dports/net/openssh/files/0002-Apple-keychain-integration-other-changes.patch

[bhyde]

Currently the ssh-agent brew builds lacks support for the -l switch. As a result launchd is unable to fire it up, but it keeps trying every 10 seconds. That clutters the console log. Using Apple's ssh-agent instead, but otherwise using brew's ssh tools, appears to provide a work around.

[bhyde]

Currently the ssh-agent brew builds lacks support for the -l switch. As a result launchd is unable to fire it up, but it keeps trying every 10 seconds. That clutters the console log. Using Apple's ssh-agent instead, but otherwise using brew's ssh tools, appears to provide a work around.

[lox]

Oddly the apple keychain patch seems to use "-M" rather than "-K".

[lox]

Oddly the apple keychain patch seems to use "-M" rather than "-K".

[jbergstroem]

Experienced similar issues. Can verify that the patch (pull req #274) works for me.

[jbergstroem]

Experienced similar issues. Can verify that the patch (pull req #274) works for me.

[jacknagel]

openssh is now at 6.6p1 and a new keychain support patch has been applied, can anyone verify if this issue persists?

[jacknagel]

openssh is now at 6.6p1 and a new keychain support patch has been applied, can anyone verify if this issue persists?

[nickchappell]

I couldn't get they Keychain integration to work on my machine. I followed the steps @theckman outlined in the original post. Is there another procedure I should follow?

[nickchappell]

I couldn't get they Keychain integration to work on my machine. I followed the steps @theckman outlined in the original post. Is there another procedure I should follow?

[peterpme]

This is still an issue. Found this google for the topic

OpenSSH 6.6p1
Mavericks 10.9.2

[peterpme]

This is still an issue. Found this google for the topic

OpenSSH 6.6p1
Mavericks 10.9.2

[m3nu]

I've put a brew for OpenSSH 6.5 in homebrew-versions. It comes with SSH-HPN (high performance patch) and keychaing integration. No issues on the latest Mavericks. They didn't accept the pull request yet, so it's currently here: https://github.com/manuelRiel/homebrew-versions/blob/master/openssh65.rb

[m3nu]

I've put a brew for OpenSSH 6.5 in homebrew-versions. It comes with SSH-HPN (high performance patch) and keychaing integration. No issues on the latest Mavericks. They didn't accept the pull request yet, so it's currently here: https://github.com/manuelRiel/homebrew-versions/blob/master/openssh65.rb

[sj26]

I can successfully edit the launchd plists to replace sshd with the homebrewed sshd, but ssh-agent -l doesn't start, something about the IPC isn't working, so all ssh invocations hang on key exchange, and ssh-add -L doesn't work either.

Can't start it via sudo, either:

sudo ssh-agent -l
launch_msg: Operation not permitted

I can't find any logs to speak of.

[sj26]

I can successfully edit the launchd plists to replace sshd with the homebrewed sshd, but ssh-agent -l doesn't start, something about the IPC isn't working, so all ssh invocations hang on key exchange, and ssh-add -L doesn't work either.

Can't start it via sudo, either:

sudo ssh-agent -l
launch_msg: Operation not permitted

I can't find any logs to speak of.

[phonique]

Issue persists.

[phonique]

Issue persists.

[Diablo-D3]

Can we get an update on this issue?

[Diablo-D3]

Can we get an update on this issue?

[jacknagel]

This issue contains all known information, as far as I know there isn't anyone actively working on it.

[jacknagel]

This issue contains all known information, as far as I know there isn't anyone actively working on it.

[theMikeD]

So the package doesn't work as a replacement daemon but otherwise works as a client in Mavericks. Is that the takeaway here?

[theMikeD]

So the package doesn't work as a replacement daemon but otherwise works as a client in Mavericks. Is that the takeaway here?

[JicKud]

X11 forwarding in Yosemite seems to be broken (worked fine in Mavericks).

$ ssh -X $HOST
Warning: No xauth data; using fake authentication data for X11 forwarding.
No mail.
$HOST> xclock
/private/tmp/com.apple.launchd.HUfJbZEWPt/org.macosforge.xquartz: unknown host. (nodename nor servname provided, or not known)
Error: Can't open display: localhost:11.0
$HOST>

[JicKud]

X11 forwarding in Yosemite seems to be broken (worked fine in Mavericks).

$ ssh -X $HOST
Warning: No xauth data; using fake authentication data for X11 forwarding.
No mail.
$HOST> xclock
/private/tmp/com.apple.launchd.HUfJbZEWPt/org.macosforge.xquartz: unknown host. (nodename nor servname provided, or not known)
Error: Can't open display: localhost:11.0
$HOST>

[Diablo-D3]

Reinstalling xquartz doesn't fix it either. Launching X11 apps locally works fine.

[Diablo-D3]

Reinstalling xquartz doesn't fix it either. Launching X11 apps locally works fine.

[chdiza]

So the package doesn't work as a replacement daemon but otherwise works as a client in Mavericks. Is that the takeaway here?

As far as I know, it works fine in both roles unless you want OSX keychain support built in.

I myself run it as a client (using a custom formula that doesn't even attempt a keychain patch), and there is no problem getting it to use the OSX keychain. I do not, however, use it as a daemon.

[chdiza]

So the package doesn't work as a replacement daemon but otherwise works as a client in Mavericks. Is that the takeaway here?

As far as I know, it works fine in both roles unless you want OSX keychain support built in.

I myself run it as a client (using a custom formula that doesn't even attempt a keychain patch), and there is no problem getting it to use the OSX keychain. I do not, however, use it as a daemon.

[jacknagel]

To be honest I'm not sure what issue people are still having, there seems to be several different issues in this thread.

Can those having trouble please confirm (by brew reinstall openssh and restarting the appropriate services) if the existing formula works? There have been a couple of substantive changes in the last month or so.

[jacknagel]

To be honest I'm not sure what issue people are still having, there seems to be several different issues in this thread.

Can those having trouble please confirm (by brew reinstall openssh and restarting the appropriate services) if the existing formula works? There have been a couple of substantive changes in the last month or so.

[DomT4]

X11 forwarding in Yosemite seems to be broken (worked fine in Mavericks).

This should be fixed now, at least.

[DomT4]

X11 forwarding in Yosemite seems to be broken (worked fine in Mavericks).

This should be fixed now, at least.

[Diablo-D3]

I can verify it works now. 10.10.1 fixed it? Not sure.

[Diablo-D3]

I can verify it works now. 10.10.1 fixed it? Not sure.

[DomT4]

We imported the patch recommended upstream in this commit which should have fixed things.

[DomT4]

We imported the patch recommended upstream in this commit which should have fixed things.

[TimCook1]

The issue appears to persist if you use ed25519 keys. The keychain can't handle saving the password for those keys.

[TimCook1]

The issue appears to persist if you use ed25519 keys. The keychain can't handle saving the password for those keys.

[mochtu]

Loading/unloading the LaunchAgent via launchctl was not enough for me on OSX 10.10.1 (Yosemite). I had to reboot the system. After rebooting the OSX Keychain support window comes up on the first ssh login and the key is stored successfully in ssh-agent.

However I see a

Saving password to keychain failed
Identity added: …

… but it doesn't seem to be an issue.

[mochtu]

Loading/unloading the LaunchAgent via launchctl was not enough for me on OSX 10.10.1 (Yosemite). I had to reboot the system. After rebooting the OSX Keychain support window comes up on the first ssh login and the key is stored successfully in ssh-agent.

However I see a

Saving password to keychain failed
Identity added: …

… but it doesn't seem to be an issue.

[TimCook1]

I figured it out. You have to have the .pub key file in the same folder as the private key. I have no idea why... but apparently that's what OSX wants.

[TimCook1]

I figured it out. You have to have the .pub key file in the same folder as the private key. I have no idea why... but apparently that's what OSX wants.

[theckman]

Not just on OS X. Was surprised to find this a month or so ago.

[theckman]

Not just on OS X. Was surprised to find this a month or so ago.

[croessner]

Hi, is there a solution for ed25519 keys? Just can confirm that it doesn't work here on Yosemite

[croessner]

Hi, is there a solution for ed25519 keys? Just can confirm that it doesn't work here on Yosemite

[TimCook1]

As mentioned above, reboot after making the changes, and place the .pub keys in the same folder as the private key.

[TimCook1]

As mentioned above, reboot after making the changes, and place the .pub keys in the same folder as the private key.

[croessner]

Doesn't work for me:

ssh-add .ssh/id_ed25519
Enter passphrase for .ssh/id_ed25519:
SSH_AGENT_FAILURE
Could not add identity: .ssh/id_ed25519

It doesn't matter, if i change into .ssh or not. And reboot does not solve anything here. Also all other added keys are lost after reboot, except my primary ssh key id_rsa.

If I add other RSA keys with ssh-add, they are not remembered after reboot. Even if I use /usr/bin/ssh-add and not /usr/local/bin/ssh-add, no other but the id_rsa key is remembered.

:-)

One further question to @tcsac : what do you mean by "making the changes"?

[croessner]

Doesn't work for me:

ssh-add .ssh/id_ed25519
Enter passphrase for .ssh/id_ed25519:
SSH_AGENT_FAILURE
Could not add identity: .ssh/id_ed25519

It doesn't matter, if i change into .ssh or not. And reboot does not solve anything here. Also all other added keys are lost after reboot, except my primary ssh key id_rsa.

If I add other RSA keys with ssh-add, they are not remembered after reboot. Even if I use /usr/bin/ssh-add and not /usr/local/bin/ssh-add, no other but the id_rsa key is remembered.

:-)

One further question to @tcsac : what do you mean by "making the changes"?

[TimCook1]

The changes on this page:
http://www.dctrwatson.com/2013/07/how-to-update-openssh-on-mac-os-x/

And you need to nuke everything you originally setup with the built-in ssh-add or you're going to have issues (in my experience).

[TimCook1]

The changes on this page:
http://www.dctrwatson.com/2013/07/how-to-update-openssh-on-mac-os-x/

And you need to nuke everything you originally setup with the built-in ssh-add or you're going to have issues (in my experience).

[nik9000]

I've put a brew for OpenSSH 6.5 in homebrew-versions. It comes with SSH-HPN (high performance patch) and keychaing integration. No issues on the latest Mavericks. They didn't accept the pull request yet, so it's currently here: https://github.com/manuelRiel/homebrew-versions/blob/master/openssh65.rb

This works for me.

[nik9000]

I've put a brew for OpenSSH 6.5 in homebrew-versions. It comes with SSH-HPN (high performance patch) and keychaing integration. No issues on the latest Mavericks. They didn't accept the pull request yet, so it's currently here: https://github.com/manuelRiel/homebrew-versions/blob/master/openssh65.rb

This works for me.