OSX ssh-agent: no password pasting, and problem with PKCS#8?

macos keychain ssh password

I use ssh on my machine, and have set up a long not-human-friendly passphrase which is saved in my password manager. What makes me crazy every time is that I cannot paste into the window pictured below. I know the Remember password in my keychain option and use it. Sometimes I have to enter a new one though. Why can't I paste into a password field?

Same thing for the dialog which pops up when plugging in encrypted disks.

ssh-agent window

Some updates:

  1. I found out how i can circumvent the dialog: just use ssh-add -K ~/.ssh/id_rsa, and then I can paste the passphrase into the terminal.
  2. As mattmcmanus mentioned, my Key is encryted using pkcs8 which was broken on Yosemite's ssh-agent. This is unrelated to the above problem, but it did occur to me at the same time (read here).
  3. using ssh-add still not fixes this for encrypted disks.

  1. The dialog for ssh-agent can be circumvented by adding the key in the console/terminal: ssh-add ~/.ssh/id_rsa. You can then paste the password into the terminal. Also, adding the -K option to ssh-add will save it to the keychain as per Oliver Lacans comment.
  2. As mattmcmanus said, id_rsa encryption using PKCS seems to be broken on OSX Mavericks ssh-agent. The fast workaround is to decrypt the keyfile, and encrypt it again with the standard ssh procedure (Key-derivation method: MD5...):
mv id_rsa id_rsa.pkcs
openssl rsa -in id_rsa.pkcs -out id_rsa
# enter passphrase to decrypt
chmod 0600 id_rsa
ssh-keygen -f id_rsa -p
# enter passphrase to encrypt again

Is it a PKCS#8 key and are you on mavericks? If so, that seems to be completely busted. Not sure there is a solution yet.


On Mac OS X El Capitan the ssh-add command can do this with a -K option:

$ ssh-add -K ~/.ssh/id_rsa
Enter passphrase for /Users/your.username/.ssh/id_rsa:

You can paste your password into this prompt with ⌘-V.

A session for this looks like this:

$ ssh-add -K ~/.ssh/id_rsa
Enter passphrase for /Users/your.username/.ssh/id_rsa:
Passphrase stored in keychain: /Users/your.username/.ssh/id_rsa
Identity added: /Users/your.username/.ssh/id_rsa (/Users/your.username/.ssh/id_rsa)

Relevant excerpt of SSH-ADD(1) brought up with man ssh-add:

-K When adding identities, each passphrase will also be stored in your keychain. When removing identities with -d, each passphrase will be removed from your keychain.

INFOSEC NOTE: Your password won't be shown in the shell, but will be exposed to all running applications via the clipboard. An autotype solution would be more secure.

Related

Recent items menus have stopped working on my iMac
How can I crop a video?
What is the difference between a `service-name` and a `service-target`?
Get low battery notifications for mouse earlier
Cmd+Tab switches to the correct space, but doesn't bring app up to front
outlook: apply rule to past messages
Removing news headlines from Spotlight Search in iOS 9
Excessive "Opening application for the first time" dialogs
macOS: Disable popup showing accented characters when holding down a key
How to get macOS Sierra to stop asking me to enable Siri
If my Mac is connected to ethernet and WiFi, which will it use? [duplicate]
Installing fonts from terminal instead of Font Book?