Make my password protected SSH key expire or timeout after a while
I have a private SSH key I use for authentication that is stored in ~/.ssh/id_rsa. When I ssh into a server, I am prompted for the password to unlock the key:
I like this. I also like that I can ssh again and again and it doesn't prompt me for my password.
What I don't like is that I am not required to enter my key password days or even weeks later. I can lock my screen or put it to sleep and I still don't have to enter my key password. The only time it seems to expire the password is when I logout (which I do rarely).
How do I get the key password to expire after a while, forcing me to enter my password again to authenticate? Making it so that perhaps after 1 hour, the key is automatically forgotten.
Rather than tweaking ssh-agent (which now requires silly amounts of hacking), I strongly recommend simply changing the settings on your default (login) keychain. I use the very helpful 'lock on sleep' as well as 'lock after 4 hours' because I don't want prompts unless I'm actually afk.
Open Keychain Access and right-click the login keychain to change settings:
Or if you prefer a commandline:
security set-keychain-settings -lu -t 14400
This will result in at least one extra prompt for unlocking the keychain itself (requiring your login password) as well as the prompt for whichever key you're trying to use... but it beats disabling System Integrity Protection IMO.
Note: in newer versions of OS X you must disable System Integrity Protection for this answer to work. (Thanks to @Dave Gregory and @Jaap for pointing this out.)
Open /System/Library/LaunchAgents/com.openssh.ssh-agent.plist
(in older versions: org.openbsd.ssh-agent.plist
) in a text editor. Replace:
<key>ProgramArguments</key>
<array>
<string>/usr/bin/ssh-agent</string>
<string>-l</string>
</array>
with:
<key>ProgramArguments</key>
<array>
<string>/usr/bin/ssh-agent</string>
<string>-l</string>
<string>-t</string>
<string>30m</string>
</array>
This will expire the key after 30 minutes.
Reboot. Wait, reboot?!? This isn't Windows! Yes, reboot.
Well, you can try to decipher the instructions for changing the setting on the fly, but good luck.
You need to set the life of the key. It ordinarily defaults to forever.
When you run ssh-add
you want to use the -t
option. If you want a key life of one hour then it is ssh-add -t 1h
. The time formats can be seen in the sshd_config
man page but put simply they are a number followed by s, m, h, d, or w for seconds, minutes, hours, days or weeks.
ssh-add
can be put into your .bashrc file and it will just ask you to validate the key once. Even when the key "expires" it isn't removed - it just asks for the passphrase again when an attempt is made to use it.
The other option would be to alter the launch options for ssh-agent
which are stored in /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
and add the -t
there. (I use LaunchControl
for changing these but you can do it by hand if you are careful.)
An other solution is:
ssh-add -t <time> <ssh-private-key> # Set maximum lifetime to your SSH priv key.
killall ssh-agent # Kill all ssh-agent processes.
ssh-add -D # Delete all identities recorded by the agent.
With this solution, you do not have to choose a timeout to all your keychain - quite annoying when you want to set a timeout of some seconds to your private key password recording - and you do not have to disable your SIP to edit /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist.