Skip to content

Instantly share code, notes, and snippets.

@halilim

halilim/Homebrew OpenSSH with macOS keychain.md

Created December 29, 2023 20:50
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save halilim/0f7f8675754224a5aaa6b5103f0bb932 to your computer and use it in GitHub Desktop.
Save halilim/0f7f8675754224a5aaa6b5103f0bb932 to your computer and use it in GitHub Desktop.
Download ZIP
Homebrew OpenSSH with macOS keychain
Raw
Homebrew OpenSSH with macOS keychain.md

Problem:

  1. macOS (14.2.1) ssh (OpenSSH_9.4p1, LibreSSL 3.3.6) is vulnerable to Terrapin attack (as reported by the scanner).
  2. The regular OpenSSH (e.g. via Homebrew) doesn't support the UseKeychain option

Workaround:

  1. Automator > new Application > Run Shell Script: ~/bin/login-script, save as Login script.app
  2. Create a new file ~/bin/login-script with contents: 
    #  Without /usr/bin, it might end up using Homebrew's ssh-add, which doesn't support these
/usr/bin/ssh-add --apple-use-keychain --apple-load-keychain ~/.ssh/id_rsa
  3. Make it executable: chmod a+x ~/bin/login-script
  4. System Settings > Login Items > Open at Login > add Login script.app

Technically speaking, the whole process can be shortened via launchtl etc., but I always got some trouble trying to do so.

Basically, this uses ssh-add and ssh-agent from macOS (/usr/bin), but ssh from Homebrew.

This mutant hack of a solution doesn't inspire confidence, so please comment about any glaring holes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment