Skip to content

Instantly share code, notes, and snippets.

@halilim

halilim/Homebrew OpenSSH with macOS keychain.md

Created December 29, 2023 20:50
Show Gist options
  • Save halilim/0f7f8675754224a5aaa6b5103f0bb932 to your computer and use it in GitHub Desktop.
Save halilim/0f7f8675754224a5aaa6b5103f0bb932 to your computer and use it in GitHub Desktop.
Download ZIP
Homebrew OpenSSH with macOS keychain
Raw
Homebrew OpenSSH with macOS keychain.md

Problem:

  1. macOS (14.2.1) ssh (OpenSSH_9.4p1, LibreSSL 3.3.6) is vulnerable to Terrapin attack (as reported by the scanner).
  2. The regular OpenSSH (e.g. via Homebrew) doesn't support the UseKeychain option

Workaround:

  1. Automator > new Application > Run Shell Script: ~/bin/login-script, save as Login script.app
  2. Create a new file ~/bin/login-script with contents: 
    #  Without /usr/bin, it might end up using Homebrew's ssh-add, which doesn't support these
/usr/bin/ssh-add --apple-use-keychain --apple-load-keychain ~/.ssh/id_rsa
  3. Make it executable: chmod a+x ~/bin/login-script
  4. System Settings > Login Items > Open at Login > add Login script.app

Technically speaking, the whole process can be shortened via launchtl etc., but I always got some trouble trying to do so.

Basically, this uses ssh-add and ssh-agent from macOS (/usr/bin), but ssh from Homebrew.

This mutant hack of a solution doesn't inspire confidence, so please comment about any glaring holes.

@halilim
Copy link
Author

halilim commented Jun 28, 2024

Update: As of macOS 14.5, SSH is upgraded to OpenSSH_9.6p1, reported as not vulnerable. You can remove the workarounds and Homebrew SSH (unless you need it for something else).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment