This is a copy of Apple's OpenSSH 5.9p1 that is bundled with OS X 10.8, plus a modification to add a RequireKeyConfirmation
option. This no longer includes the AddKeysToAgent
option modification, as it is no longer needed.
With RequireKeyConfirmation
set to yes
in ~/.ssh/config
, any identities added to ssh-agent
will require confirmation before use. Combined with the included cocoa-ssh-askpass
wrapper around CocoaDialog, a GUI dialog will be presented when SSH tries to use an unlocked identity stored in the agent. This applies to SSH spawned from a terminal (directly or through things like git
), from a forwarded agent, and from any GUI program that uses it in the background to setup tunnels like Sequel Pro.
More information about agent confirmation can be read at http://jcs.org/macssh.
Run xcodebuild
from the top directory.
sudo xcodebuild install
will install it into /tmp/openssh.dst
as usual. Overlay this directory on to /
with sudo rsync -av /tmp/openssh.dst/. /.
. Avoid directly installing into /
by overriding DSTROOT
because of some scary recursive chmod
s and chown
s that the XCode build script does (from Apple).
Download and install CocoaDialog to /Applications/Utilities
. The cocoa-ssh-askpass
wrapper that is installed as /usr/libexec/ssh-askpass
will look for CocoaDialog at /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog
.
At the first SSH connection, the usual secure input window will appear asking for the key passphrase. Leave the "Remember password in my keychain" option unchecked. If RequireKeyConfirmation
is set to yes
, on the next SSH connection, /usr/libexec/ssh-askpass
will be invoked to prompt for confirmation.