After demonstrating that an OpenSSH ControlMaster problem was only an issue with the ancient OpenSSH shipped with MacOS (10.6.x), I aliased the ssh commands to be the 5.8 versions installed from MacPorts. After doing this, I decided that I should try to switch out the ssh-agent too, so that I can load ECDSA keys and use ECC to reach my colo box.
The ssh-agent is launched on-demand by launchd, when something first tries to talk to $SSH_AUTH_SOCK. So my naive approach was to:
$ cp /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist \
$ vi ~/Library/LaunchAgents/org.openbsd.ssh-agent.plist
# Change ProgramArguments/string(first) from /usr/bin/ssh-agent
# to /opt/local/bin/ssh-agent
$ launchctl stop org.openbsd.ssh-agent
$ launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
$ launchctl load -F ~/Library/LaunchAgents/org.openbsd.ssh-agent.plist
Alas, the launch system is using “ssh-agent -l”, an undocumented Apple extension which I suspect is telling ssh-agent to honour the $SSH_AUTH_SOCK path it inherits from the environment. So I try to revert.
Can't get ssh-agent running. Reboot. Look (again) through /var/log/system.log, lack of information. This time, no longer have $SSH_AUTH_SOCK defined. Prod, poke.
Log remotely onto second Mac, compare the output of “launchctl list org.openbsd.ssh-agent”. Spot that LimitLoadToSessionType is set to “Aqua” on the non-tampered box, but to “background” on my laptop. Realise that since I'm logged in on console, this needs to be Aqua, even though the limited references I can find to this suggest that Aqua should be the default.
$ launchctl unload /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
$ launchctl load -S Aqua /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
Not working, but then the environment variable hasn't been defined; check around for a bit, can't see clear documentation on what exactly is defining $SSH_AUTH_SOCK, except claims that it's launchd, somewhere. Search through all the launchd files. Give up, log out, log in again and …
It works. The load-in-Aqua-context and logging back in was all that was needed.
So, since a working session (which I couldn't go back to check) has $SSH_AUTH_SOCK point to a socket, as usual, with a pathname of the form “/tmp/launch-<6-random-chars>/Listeners” I can now form an educated guesstrapolation from this content in /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist:
The key for the list entry within Sockets is the name of an entry within the directory maintained by launchd for sockets from this context, even though there's only one of them, so a single entry in the directory, and the rest of the config implies that a socket of a given type will be created and the value of the option-indicating-the-type is the environment variable?
Are there public texts which explain how all this stuff fits together in decent detail?
-The Grumpy Troll