The Grumpy Troll

Ramblings of a grumpy troll.

Diversion into MacOSX launchd & ssh-agent

Well that was an educational diversion. Aka, "I broke things and learnt by repairing them."

After demonstrating that an OpenSSH ControlMaster problem was only an issue with the ancient OpenSSH shipped with MacOS (10.6.x), I aliased the ssh commands to be the 5.8 versions installed from MacPorts. After doing this, I decided that I should try to switch out the ssh-agent too, so that I can load ECDSA keys and use ECC to reach my colo box.

The ssh-agent is launched on-demand by launchd, when something first tries to talk to $SSH_AUTH_SOCK. So my naive approach was to:

$ cp /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist \
~/Library/LaunchAgents
$ vi ~/Library/LaunchAgents/org.openbsd.ssh-agent.plist
# Change ProgramArguments/string(first) from /usr/bin/ssh-agent
# to /opt/local/bin/ssh-agent
$ launchctl stop org.openbsd.ssh-agent
$ launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
$ launchctl load -F ~/Library/LaunchAgents/org.openbsd.ssh-agent.plist

Alas, the launch system is using “ssh-agent -l”, an undocumented Apple extension which I suspect is telling ssh-agent to honour the $SSH_AUTH_SOCK path it inherits from the environment. So I try to revert.

Can't get ssh-agent running. Reboot. Look (again) through /var/log/system.log, lack of information. This time, no longer have $SSH_AUTH_SOCK defined. Prod, poke.

Log remotely onto second Mac, compare the output of “launchctl list org.openbsd.ssh-agent”. Spot that LimitLoadToSessionType is set to “Aqua” on the non-tampered box, but to “background” on my laptop. Realise that since I'm logged in on console, this needs to be Aqua, even though the limited references I can find to this suggest that Aqua should be the default.

$ launchctl unload /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
$ launchctl load -S Aqua /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist

Not working, but then the environment variable hasn't been defined; check around for a bit, can't see clear documentation on what exactly is defining $SSH_AUTH_SOCK, except claims that it's launchd, somewhere. Search through all the launchd files. Give up, log out, log in again and …

It works. The load-in-Aqua-context and logging back in was all that was needed.

So, since a working session (which I couldn't go back to check) has $SSH_AUTH_SOCK point to a socket, as usual, with a pathname of the form “/tmp/launch-<6-random-chars>/Listeners” I can now form an educated guesstrapolation from this content in /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist:

  <key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>SecureSocketWithKey</key>
<string>SSH_AUTH_SOCK</string>
</dict>
</dict>

The key for the list entry within Sockets is the name of an entry within the directory maintained by launchd for sockets from this context, even though there's only one of them, so a single entry in the directory, and the rest of the config implies that a socket of a given type will be created and the value of the option-indicating-the-type is the environment variable?

Interesting.

Are there public texts which explain how all this stuff fits together in decent detail?

-The Grumpy Troll

Comments

runelind
Urgh, I'm not getting this to work at all - anyone have concise steps on how to get ssh-agent to work with ECDSA keys in Mountain Lion?
Michael Hale
I found this article very helpful: http://www.dribin.org/dave/blog/archives/2007/11/28/ssh_agent_leopard/
It led me to create this: https://gist.github.com/2311922
Phil P
To Anonymous: cool, thanks. So, MacPorts has the patch distributed already, they just forget to apply it to new releases?

I read the patch, applied the Portfile change you point to and now have ECDSA from my laptop. Neat.
Anonymous
This will give you an ecdsa capable agent that works like usual:

http://pastebin.com/yg074cbm
Anonymous
First off, I can tell you that after a few days of looking, I found no good explanation (or documentation) on how all this fits together.

That said, I'll answer a vaguely unrelated question for other googlers. If you previously used sshkeychain and find that you can't get OS-X's agent working properly, look for this file: "~/MacOSX/environment.plist". If it's there and only has an entry for sshkeychain nuke it. This file causes SSH_AUTH_SOCK to be set to sshkeychain's expected socket location which in turn causes the launchd-created agent from ever doing anything.
Categories: MacOSX OpenSSH