Eliminate Subversion Passphrase Prompts with SSHKeychain

One of the things I really like about OS X is the Keychain Access application. Most Mac applications (but not Firefox) that deal with passwords or certificates enlist Keychain Access services. The upshot is that you don’t need to manage a password file yourself, and you don’t need a third-party secure credential management application.

Unless you use ssh on the command line a lot.

Unfortunately, on OS X, the ssh command line tools are not integrated with Keychain Access. This is unfortunate for a couple reasons. First, it means that you have the choice (with the ssh command line tools) to either passphrase protect each key or not. If you decide not to then you expose that key to attack (if someone gets access to your disk).

Now if you do decide to passphrase-protect an ssh key a dilemma arises. You will be prompted for that passphrase each time the key is required for an ssh operation. Every time you ssh to a remote machine, or run scp or sftp, you’ll be prompted. And if you use Subversion over ssh you’ll be prompted (for a passphrase) for each of your remote subversion commands. Ugh.

Until Apple adds direct integration between the ssh command line tools and Keychain Access we have to make due with one of the “ssh agents”. There is a command-line one that ships with OS-X called ssh-agent if you like that sort of thing. I was hoping for a mouse-driven one and went on a little expedition.

The first one I looked at, SSH Agent, is a nice enough Cocoa app but it’s got a fatal flaw. The whole point of this thing is to enable me to avoid entering passphrases. To do that, the app needs to access a passphrase stored in Keychain Access. Well SSH Agent looks like it intends to support that — but unfortunately, the “add to keychain” control is disabled. As a result you have to go to Keychain Access and manually get your passphrase and then paste it into SSH Agent each time you you want to activate an ssh key.

The second Cocoa app I looked at, SSHKeychain fared better in this regard. It integrates nicely with Keychain Access. The interface is a bit quirky but if you follow the directions you should be up in no time. Note that with each of the ssh agents I tested, there were situations where I had to log out (of OS X) and back in to get the ssh command line tools to notice the agent.

Any chance of integrated SSH key management making it into Keychain Access in time for Leopard?

This entry was posted in OS X, tool. Bookmark the permalink.

3 Responses to Eliminate Subversion Passphrase Prompts with SSHKeychain

  1. Paul Jakubik says:

    You mention Firefox does not use Keychain. Are there any OS X browsers that do use Keychain? Do these browsers have other issues that make Firefox more desirable?

  2. bill.burcham says:

    Sure — at least Safari (the default browser) and Camino (based on Gecko rendering engine) are integrated with Keychain Access.

  3. Adam Keys says:

    OmniWeb has Keychain integration as well.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s