/mac-ssh-confirm

Protect against SSH Agent Hijacking on Mac OS X with the ability to confirm agent identities prior to each use

Primary LanguageShellMIT LicenseMIT

mac-ssh-confirm

Overview

One way to help protect against SSH Agent Hijacking is by confirming each use of the of the decrypted identities managed by ssh-agent.

These tools allow confirmation while (still) meeting the following objectives:

  • Password protected SSH identities
  • SSH identity passwords stored in Mac OS X Keychain
    • Passwords do not need to be entered again and again.
  • Absolute minimum install:
    • Do not overwrite or replace executables
    • Do not require compiling or Xcode

This is a useful hack. More useful would be development by Apple to support SSH Agent confirmations.

Additional helper utilities:

  • cmc: ControlMaster Controller - Eases management of SSH ControlMaster connections.
  • solo-agent: Enable discrete SSH Agents to avoid leaking access across hosts

Installation

  1. macOS no longer comes with X11. Unless you have an old release, XQuartz is required (#1).
  2. Symlink ssh-askpass.sh to /usr/libexec/ssh-askpass. (The install.sh script does this.)
  3. It may be convenient to put ssh_add_confirm_ids.sh in your PATH.

Use

  1. Add identities to your Mac OS X Keychain via ssh-add -K
  2. Prior to connecting to any hosts, execute ssh_add_confirm_ids.sh
    • In the interest of security, do not Always Allow security access to your keychain
  3. Repeat the step above each time you log into your Mac

To clear existing identities in the agent and load configured identies to require confirmation:

  • ssh-add -D; ssh_add_confirm_ids.sh

To clear existing identities in the agent and load identities saved in your keychain without the need to confirm access:

  • ssh-add -D; ssh-add -k

Inspiration

License