Problem:
- macOS (14.2.1) ssh (OpenSSH_9.4p1, LibreSSL 3.3.6) is vulnerable to Terrapin attack (as reported by the scanner).
- The regular OpenSSH (e.g. via Homebrew) doesn't support the
UseKeychain
option
Workaround:
- Automator > new Application > Run Shell Script:
~/bin/login-script
, save asLogin script.app
- Create a new file
~/bin/login-script
with contents:# Without /usr/bin, it might end up using Homebrew's ssh-add, which doesn't support these /usr/bin/ssh-add --apple-use-keychain --apple-load-keychain ~/.ssh/id_rsa
- Make it executable:
chmod a+x ~/bin/login-script
- System Settings > Login Items > Open at Login > add
Login script.app
Technically speaking, the whole process can be shortened via launchtl
etc., but I always got some trouble trying to do so.
Basically, this uses ssh-add
and ssh-agent
from macOS (/usr/bin
), but ssh
from Homebrew.
This mutant hack of a solution doesn't inspire confidence, so please comment about any glaring holes.