The SSH config option "UseKeychain yes" does not seem to actually use the keychain?

Originator:robotspacer
Number:rdar://30156799 Date Originated:23-Jan-2017 08:38 PM
Status:Open Resolved:
Product:macOS + SDK Product Version:10.12.3 (16D32)
Classification:Serious Bug Reproducible:Always
 
Area:
Terminal

Summary:
According to TN2449 (and "man ssh_config"), using the config option "UseKeychain yes" will store the passphrase for an SSH key in the keychain once it is used successfully. However, no new entry appears in the Keychain Access after the passphrase is saved.

Even more strange, if I restart my computer, immediately lock the "login" keychain in Keychain Access, and then attempt to use the ssh key… it works immediately. I am not prompted to unlock the keychain first.

This leaves me with a lot of questions:
- Where is the passphrase actually stored?
- Is it encrypted?
- Is there any way to lock this keychain or revoke access?
- Why doesn't the documentation explain any of this?

Steps to Reproduce:
- Set up SSH for another computer, using a key with a passphrase
- Set "UseKeychain yes" as described in "man ssh_config" or TN2449: https://developer.apple.com/library/content/technotes/tn2449/_index.html#//apple_ref/doc/uid/DTS40017589
- Restart your Mac (in case there are any keys already loaded by ssh-agent)
- Immediately lock the default "login" keychain in Keychain Access
- Open Terminal
- Optional: use "ssh-add -D" to make sure no identities are already loaded (in my testing this makes no difference)
- Attempt to connect to the other computer using SSH

Expected Results:
If the passphrase is actually stored in the keychain, it should prompt the user to unlock the keychain, and fail if it is not unlocked as requested.

Ideally the passphrase should show up in Keychain Access, it should be unavailable if its keychain is locked, and it should be possible to move it to different keychain (for example with a different password or different automatic locking settings).

If there's some reason that behavior isn't possible, it should be documented in some way—explaining that it is not the standard keychain, along with where and how it is stored.

Actual Results:
It works, the ssh connection is successful. I assume this is because the "keychain" being used is some entirely separate storage mechanism that does not show in Keychain Access.

Version:
10.12.3 (16D32)

Notes:


Configuration:
3.3 GHz Intel Core i7, 16 GB RAM, 1TB SSD, Intel Iris Graphics 550 1536 MB

Attachments:

Comments

FYI, they're now stored in the "Local Items" keychain (which can't be locked), and the passphrase item is inexplicably not visible through Keychain Access.

  • https://openradar.appspot.com/29942732
  • http://apple.stackexchange.com/questions/265131/recover-ssh-private-key-passphrase-from-keychain/268175
By mkfmnn at Feb. 15, 2017, 7:26 a.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!