SSH passphrase remembered in MacOSX Snow Leopard
I am facing a very strange situation with Snow Leopard. I have a Linux server, configured to accept an ssh connection authenticated only through RSA key. No password. On my laptop I correctly deployed the RSA key with ssh-keygen, and while I did it, I added a passphrase. I then moved the id_rsa.pub on the Linux server .ssh/authorized_keys.
So far so good. Now I try from my Snow Leopard laptop to login on the Linux machine. I get a window popup asking me for the passphrase. This is the first thing that surprises me, as I would have expected a shell passphrase request, not a popup. The application requesting the passphrase is ssh, according to the details in this popup window. Also, there is an option "remember phrase in the keychain", which is disabled.
I input my password. The popup disappears and the terminal correctly logs into the Linux machine. Now if I logout, and try to ssh again, the login happens without any request of passphrase, which is not what I want.
Things I checked :
- nothing is saved into the keychain. Browsed in and found nothing.
- if I close/quit the terminal, and open a new one, I am still not asked for the passphrase, and the ssh logs in without any inquire.
- if I log out from the MacOSX session, and relogin, the passphrase is requested at the next attempt, again with a popup dialog. Then it's not requested anymore.
Where is the passphrase stored? what's going on exactly, and how can I force the request of the passphrase at every ssh attempt?
OS X will automatically launch ssh-agent for you when it needs your private key. Your key will then be available through ssh-agent (without entering your passphrase again) until you log out of OS X or remove the key (via ssh-add -d
or ssh-add -D
to remove all keys).
This is similar to standard *NIX system behavior with ssh-agent, and allows useful functionality like agent authentication forwarding (ssh -A
) to work so you don't have to put your private key all over the network.
If you want to disable ssh-agent (for all users of your Mac) you may remove the file /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
Another way is to unload & disable the LaunchAgent:
sudo launchctl -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
The -w
causes it to not just unload but mark & remember it as disabled.