macOS Sierra permanently remembers SSH key passphrase by default

Originator:fjarlq
Number:rdar://28394826 Date Originated:20-Sep-2016 04:04 PM
Status:Open Resolved:
Product:macOS Product Version:10.12
Classification: Reproducible:Always
 
Summary:
After upgrading to macOS Sierra and using SSH to login to an SSH server, I noticed that the passphrase for my SSH key has been permanently remembered by the system. That is, after rebooting the system, SSH still knows the passphrase for my SSH key, such that I do not need to enter any passphrase to log in to my SSH hosts anymore. This permanent storage of my passphrase was done by default without prompting me, and I cannot find any documentation for this new default feature, so I have no idea how to disable it to restore the original El Capitan behavior that I prefer.

As far as I can tell, `ssh-add` is not able to manage this storage of my passphrase. `ssh-add -l` reports that "The agent has no identities." even after having just used SSH to log into a server without using my passphrase. Running `ssh-add -D` reports "All identities removed." but that isn't actually true, because I'm still able to log into my SSH servers without entering my passphrase.

Indeed, I have no idea where in the system my passphrase has been stored. I assume it has been stored somewhere in the keychain, but if so, I cannot find it using the usual methods:

$ security find-generic-password -s SSH
security: SecKeychainSearchCopyNext: The specified item could not be found in the keychain.
$ security find-generic-password
keychain: "/Users/[username]/Library/Keychains/login.keychain"
version: 256
class: "genp"
attributes:
    0x00000007 <blob>="AppleID"
[.. this is the only generic password found, and it has nothing to do with SSH ..]

Steps to Reproduce:
1. upgrade to macOS Sierra
2. run `ssh-keygen` to generate a new SSH key at the default file location, `/Users/username/.ssh/id_rsa` with a passphrase
3. add the newly-generated public SSH key to the `authorized_keys` file on some SSH server (say, `example.com`)
4. run `ssh example.com`
5. enter the passphrase for the new SSH key and confirm login success
6. reboot
7. run `ssh example.com`
8. run `ssh-add -l`

Expected Results:
After rebooting, I expect running `ssh example.com` to ask for my passphrase again. This was the default behavior on El Capitan and prior. Also on El Capitan, the remembered identities could be managed by `ssh-add` such that running `ssh-add -l` shows the identities that have been learned by `ssh-agent`, and running `ssh-add -D` causes those identities to be forgotten, such that the passphrase is required upon the next attempt to use SSH. On macOS Sierra, running `ssh-add -l` in step 8 reports "The agent has no identities."

In other words, I expect macOS to not remember my passphrase by default. I'm aware that I can optionally run `ssh-add -K` to cause my passphrases to be stored in the keychain, so that I can later run `ssh-add -A` to load those identities into `ssh-agent`. But I have never used the `-K` or `-A` options to `ssh-add`, because I do not wish my passphrase to be remembered by the system.

Actual Results:
After rebooting, running `ssh example.com` logs into the SSH server without requiring my passphrase be entered.

Version:
macOS Sierra version 10.12.

$ /usr/bin/ssh -V
OpenSSH_7.2p2, LibreSSL 2.4.1

Notes:
Bug rdar://27348363 filed by Karoly.Lorentey seems to be related:
https://openradar.appspot.com/27348363

But I'm confused, because that bug seems to be complaining about the opposite: that ssh-agent is NOT remembering the passphrases automatically across reboots like it did in El Capitan. Apple Developer Relations explained that this is the new expected behavior, and to run `ssh-add -A` in an rc script to cause the keys to be automatically loaded. The behavior that Lorentey complained about is actually the behavior I *prefer*, so I don't understand why macOS Sierra behaved differently for him.

Comments

I've updated my bug report with Apple

Now that we've learned that this problem is merely due to a couple changes in the ssh_config(5) directive defaults, I've updated my bug report.

Specifically, I've noted that there are still a couple of lingering issues:

1) The ssh_config(5) man page incorrectly claims that UseKeychain defaults to "no".

2) The recipe for deleting passphrases that have been stored in Keychain is both obscure and cumbersome.

the complete fix

The following recipe fully restores the preferred ssh passphrase policy found in El Capitan and prior.

Add these lines to ~/.ssh/config:

# Do not store passphrases in Keychain, but do remember passphrases in the running ssh-agent.
Host *
    UseKeychain no
    AddKeysToAgent yes

Then run these commands to purge the stored passphrases from both ssh-agent and Keychain:

ssh-add -D -K
for f in ~/Library/Keychains/*/keychain-2.db; do sqlite3 $f "delete from genp where agrp = 'com.apple.ssh.passphrases';"; done

Got a work around...

To stop ssh from doing this, in the ssh config - ie ~/.ssh/config

Host *
  UseKeyChain no

Some reports say that ssh-add -K -d

will delete these passwords, but I have not confirmed that.

However the solution at https://lobste.rs/s/sounxg/macos_sierra_permanently_remembers_ssh definitely works to dispose of these squirrelled passwords.

By nigel.metheringham at Oct. 6, 2016, 4:22 p.m. (reply...)

Thanks, nigel.metheringham. By the way, here's a copy of that solution for purging the passphrases from both ssh-agent and Keychain:

ssh-add -D -K
for f in ~/Library/Keychains/*/keychain-2.db; do sqlite3 $f "delete from genp where agrp = 'com.apple.ssh.passphrases';"; done

Yep, that works (the 'UseKeyChain no' config option)! Thanks!

I can't even find that config option in 'man ssh_config'. Funny how they changed the default behavior without even mentioning it or how to go back to the way it was before (essentially with 'UseKeyChain no').

Thanks again!

I have the same problem and they same concerns as the others.

$ which ssh-add

/usr/bin/ssh-add

$ ssh-add -L

The agent has no identities.

nothing in keychain. all agents killed. Still I am not asked for my key's password when connecting to remote ssh.

ssh-add and ssh-agent on my macOS Sierra are both in /usr/bin, so they're the stock Apple-provided binaries.

As a sanity check, what is the path to the ssh-add executable?

`which ssh-add `

Is it /usr/local/ssh-add ? If so, it is not Apple's /usr/bin/ssh-add - ditto ssh-agent.

By joshuajmoody at Sept. 28, 2016, 4:15 p.m. (reply...)

I'm experiencing the exact same situation that you are. After upgrading to Sierra, the OS is remembering my SSH passphrase when I don't want it to. I've tried 'ssh-add -l' and it says it has no identities. Yet I can connect to my servers without it prompting for a passphrase/password (because I've got my public key on those servers, and Sierra is somehow remembering it). I've looked in Keychain, but can't find it anywhere.

I've seen the other reports you mentioned about the opposite of what we're seeing (where Sierra isn't remembering their passphrase and they want it to).

Have you had figured this out yet?


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!