I have used ssh-agent for a long time. I enter my passphrase once, then let ssh-agent handle my ssh sessions.
Last night, I noticed I ssh’d to a box and did not enter my passphrase. I got logged in. I had just rebooted my laptop so I was very concerned about this.
It look at while, but eventually, I discovered the cause. OSX was caching the passphrase.
More interestingly, it was not using Keychain.
Ed Maste, via IRC, pointed me to Ken White, who had tweeted about this issue back on Oct 6th.
In that thread of tweets, Nigel Metheringham mentioned this bug report.
The solution:
- Add this entry to ~/.ssh/config:
Host * UseKeyChain no
- Run this script (referenced in the above mentioned bug report, and found here) to delete the cached entries:
ssh-add -D -K for f in ~/Library/Keychains/*/keychain-2.db; do sqlite3 $f "delete from genp where agrp = 'com.apple.ssh.passphrases';"; done
Credit to Mark Felder for pointing me to the script.
