ssh-askpass on macOS for SSH agent confirmation
Photo by Kristoffer Trolle, CC BY 2.0
At End Point Dev we mostly use SSH keys for authentication when connecting to remote servers and Git services. The majority of the time, the servers we are trying to visit are barred from direct access and require a middle “jump server” instead.
Enabling SSH agent forwarding makes it easier to reuse SSH private keys. It keeps the private keys on our local machine and uses them to authenticate with each server in the chain without entering a password.
However, this approach comes with an inherent risk of the agent being hijacked if one of the servers is compromised. This means a bad guy could use the SSH keys to compromise downstream servers.
In this post, we’ll cover a simple way to protect against SSH agent hijacking. We will see in detail on macOS how to configure a system-wide agent using ssh-askpass to pop up a graphical window to ask for confirmation before using the agent.
How it works
It is strongly recommended to use the
-c option on the
ssh-add command when adding your SSH keys to the agent in order to protect yourself against SSH agent hijacking.
With this, every time a request is made to utilize the private key stored in the SSH agent, ssh-askpass will display a prompt on your local computer asking you to approve the usage of the key. By doing this, it becomes more difficult for a remote attacker to use the private key without authorization.
If you don’t want to use the ssh-askpass agent confirmation, I recommend using the OpenSSH feature ProxyJump rather than agent forwarding to get an equivalent level of security.
Installing ssh-askpass on macOS
So let’s set this up. The recommended way is with Homebrew:
Install ssh-askpass with Homebrew
$ brew tap theseal/ssh-askpass $ brew install ssh-askpass
You might see some warnings. Go ahead and proceed with them.
Now we need to start the Homebrew services. Note that this is a brew service, not a regular macOS daemon service.
$ brew services start theseal/ssh-askpass/ssh-askpass => Successfully started `ssh-askpass` (label: homebrew.mxcl.ssh-askpass)
Behind the scenes, it just sets the
SUDO_ASKPASS environment variables and stops
ssh-agent, so that the SSH agent can pick up these environment variables when it restarts.
To list the services and make sure it’s started:
$ brew services list | grep ssh-askpass ssh-askpass started ~/Library/LaunchAgents/homebrew.mxcl.ssh-askpass.plist
Install ssh-askpass with MacPorts
If you prefer MacPorts, do:
$ sudo port install ssh-askpass
Install ssh-askpass from source code
And of course you can install from source if you wish:
$ cp ssh-askpass /usr/local/bin/ $ cp ssh-askpass.plist ~/Library/LaunchAgents/ $ launchctl load -w ~/Library/LaunchAgents/ssh-askpass.plist
Configure the SSH agent with the
ssh-add -c option
Let’s first verify that the agent is running, then add the private key with the confirmation option:
$ ssh-add -l The agent has no identities. $ ssh-add -c .ssh/id_rsa Enter passphrase for .ssh/id_rsa (will confirm after each use): Identity added: .ssh/id_rsa (.ssh/id_rsa) The user must confirm each use of the key
The Identity will get added if you provide the correct passphrase for the key. This can be confirmed by listing the keys again with
ssh-askpass agent confirmation
Now let’s log into a remote server.
You will be prompted to confirm the private key’s usage with the pop-up window:
Set up keyboard shortcuts
Since it’s too easy to hit the spacebar and accept a connection, ssh-askpass defaults to the cancel option. We can use keyboard shortcuts to press “OK” by following the below steps.
- Go to “System Preferences” and then “Keyboard”.
macOS 10.15 Catalina, 11 Big Sur, 12 Monterey
Go to “Shortcuts” tab
check the option “Use keyboard navigation to move focus between controls”.
macOS 13 Ventura
Turn on the “Keyboard navigation” option.
Now you can press tab ⇥ and then the spacebar to select “OK”.