Cannot get keychain password via SSH - macos

On a Mac (Big Sur) machine, I can easily get a password from the keychain via the command line:
security find-generic-password -l Foo -w
But, if I ssh into that same machine, the exact same command returns nothing.
Any ideas why that would be happening?

Jeff Holt's response helped me.
Indeed the remote keychain was locked and can be unlocked with security unlock-keychain. If you are interacting via the command line perhaps using a script you can test for whether the default keychain is unlocked with show-keychain-info which returns a non-zero value when locked.
In bash selectively prompt to unlock the keychain (with squashing of the redundant text output of show-keychain-info to stderr):
if ! $(security show-keychain-info 2> /dev/null); then
security unlock-keychain;
fi

Related

SSH login mac-to-mac

I have an iMac that I use somewhat as a server, and a Macbook laptop. For months I've opened a terminal on my laptop, typed "ssh user#host" (with more useful choices for 'user' and 'host', and was promptly rewarded with a "Password:" prompt, then the normal '$' prompt. Today it doesn't give me the $ prompt aftr a correct password. As a test, I gave an invalid pssword, and was rewarded with another prompt for password. The final test was to open the Terminus app on my iPhone, and got immediately to the $ prompt.
What might be the problem here, and where do I look first for a solution?
The first thing to try is:
ssh -v user#host
to get verbose messages.
If you have recently upgraded the server to macOS Ventura and you used to use RSA keys, you will probably need to log into the server and edit /etc/ssh/ssh_config and add the following two lines at the end since Apple tightened up security to disallow that older, relatively less secure method:
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

How To add-trusted-cert on a Mac Remotely (without user interaction)

Is it possible to add a trusted certificate on a Mac OS X 10.8.3 remotely? If so, how?
My current approach is to use the command below. Can it be tweaked so that it works remotely without user interaction?
security add-trusted-cert foo.cer
When I try the command above, I get SecTrustSettingsSetTrustSettings: The authorization was denied since no user interaction was possible.
My situation: the tool I'm using executes /bin/sh -xe bar.sh on the target machine and I have control over [1] which user it executes as and [2] the contents of bar.sh which currently has security add-trusted-cert foo.cer. Unlocking the keychain first does not appear to be the answer.
The command below works but the password can be seen by another user with ps and maybe even ends up in a commmand-line history as well. If there's a better answer that avoids this problem, most likely I'll mark that one as the accepted answer.
echo "password" | sudo -S /usr/bin/security add-trusted-cert -d -r trustRoot -k /path/to/keychain /path/to/cert
I got it from http://www.bynkii.com/archives/2009/04/stupid_cert_tricks.html

Git Always Prompts for Passphrase

I've followed the following guide to setup SSH keys on Mac OS 10.7.4.
https://help.github.com/articles/generating-ssh-keys
But for some reason it continually prompts me for my passphrase. It doesn't prompt me if I don't specify a passphrase, but that isn't desired. Is there a way to cache my passphrase so that I won't be prompted for every pull/push?
You have to add your key file in the ssh-add
ssh-add ~/.ssh/you_key_rsa
After that, it's not will ask any more.
You might need to edit the .git/config file in your git repo and change the url value to use something like user#host:path-to-git-repo.git
The SSH password is used to authenticate users connecting to GIT repositories.
If you're working localy, git shouldn't ask for passwords, obly when doing remote operation, such as clone, push, pull,etc.
If the password annoys you, you can just input a blank password when creating the SSH key, password is not mandatory, however I advise you to use password for extra protection.
I am using Windows 10, and I have found two ways to eliminate the passphrase prompting.
Make sure the ssh agent is started and you have added your key
$ eval "$(ssh-agent -s)"
$ ssh-add ~/.ssh/id_rsa
The second command will prompt you for your passphrase, and then you will not be prompted for any other git commands run in this session.
You will need to run these commands again for every new bash session
Remove the passphrase from you key file:
$ ssh-keygen -p -f ~/.ssh/id_rsa
When prompted, just strike enter key for the new passphrase.
Option 2 will permanently remove the passphrase for all git commands. Of course it also makes you key file "unsecured"
Note: If you are using git desktop GUI ( Version 1.04+) Option 2 is required for the GUI to work.

How to input automatically when running a shell over SSH?

In my shell script I am running a command which is asking me for input.
How can I give the command the input it needs automatically?
For example:
$cat test.sh
ssh-copy-id tester#10.1.2.3
When running test.sh:
First, it will ask:
Are you sure you want to continue connecting (yes/no)?
Then, it will ask me to input the password:
tester#10.1.2.3's password:
Is there a way to input this automatically?
For simple input, like two prompts and two corresponding fixed responses, you could also use a "here document", the syntax of which looks like this:
test.sh <<!
y
pasword
!
The << prefixes a pattern, in this case '!'. Everything up to a line beginning with that pattern is interpreted as standard input. This approach is similar to the suggestion to pipe a multi-line echo into ssh, except that it saves the fork/exec of the echo command and I find it a bit more readable. The other advantage is that it uses built-in shell functionality so it doesn't depend on expect.
For general command-line automation, Expect is the classic tool. Or try pexpect if you're more comfortable with Python.
Here's a similar question that suggests using Expect: Use expect in bash script to provide password to SSH command
There definitely is... Use the spawn, expect, and send commands:
spawn test.sh
expect "Are you sure you want to continue connecting (yes/no)?"
send "yes"
There are more examples all over Stack Overflow, see:
Help with Expect within a bash script
You may need to install these commands first, depending on your system.
Also you can pipe the answers to the script:
printf "y\npassword\n" | sh test.sh
where \n is escape-sequence
ssh-key with passphrase, with keychain
keychain is a small utility which manages ssh-agent on your behalf and allows the ssh-agent to remain running when the login session ends. On subsequent logins, keychain will connect to the existing ssh-agent instance. In practice, this means that the passphrase must be be entered only during the first login after a reboot. On subsequent logins, the unencrypted key from the existing ssh-agent instance is used. This can also be useful for allowing passwordless RSA/DSA authentication in cron jobs without passwordless ssh-keys.
To enable keychain, install it and add something like the following to ~/.bash_profile:
eval keychain --agents ssh --eval id_rsa
From a security point of view, ssh-ident and keychain are worse than ssh-agent instances limited to the lifetime of a particular session, but they offer a high level of convenience. To improve the security of keychain, some people add the --clear option to their ~/.bash_profile keychain invocation. By doing this passphrases must be re-entered on login as above, but cron jobs will still have access to the unencrypted keys after the user logs out. The keychain wiki page has more information and examples.
Got this info from;
https://unix.stackexchange.com/questions/90853/how-can-i-run-ssh-add-automatically-without-password-prompt
Hope this helps
I have personally been able to automatically enter my passphrase upon terminal launch by doing this: (you can, of course, modify the script and fit it to your needs)
edit the bashrc file to add this script;
Check if the SSH agent is awake
if [ -z "$SSH_AUTH_SOCK" ] ; then
exec ssh-agent bash -c "ssh-add ; $0"
echo "The SSH agent was awakened"
exit
fi
Above line will start the expect script upon terminal launch.
./ssh.exp
here's the content of this expect script
#!/usr/bin/expect
set timeout 20
set passphrase "test"
spawn "./keyadding.sh"
expect "Enter passphrase for /the/path/of/yourkey_id_rsa:"
send "$passphrase\r";
interact
Here's the content of my keyadding.sh script (you must put both scripts in your home folder, usually /home/user)
#!/bin/bash
ssh-add /the/path/of/yourkey_id_rsa
exit 0
I would HIGHLY suggest encrypting the password on the .exp script as well as renaming this .exp file to something like term_boot.exp or whatever else for security purposes. Don't forget to create the files directly from the terminal using nano or vim (ex: nano ~/.bashrc | nano term_boot.exp) and also a chmod +x script.sh to make it executable. A chmod +r term_boot.exp would be also useful but you'll have to add sudo before ./ssh.exp in your bashrc file. So you'll have to enter your sudo password each time you launch your terminal. For me, it's more convenient than the passphrase cause I remember my admin (sudo) password by the hearth.
Also, here's another way to do it I think;
https://www.cyberciti.biz/faq/noninteractive-shell-script-ssh-password-provider/
Will certainly change my method for this one when I'll have the time.
You can write the expect script as follow:
$ vi login.exp
#!/usr/bin/expect -f
spawn ssh username#machine.IP
expect "*assword: "
send -- "PASSWORD\r"
interact
And run it as:
$ expect login.exp

How to prevent that the password to decrypt the private key has to be entered every time when using Git Bash on Windows?

I've an automatic building service which download from a git private repository.
The problem is that when it tries to clone repository it need to provide the password, because it is not remembered; so because there is no human interaction, it waits forever the password.
How can I force it to remember from id_rsa.pub?
For Windows users, just a note that this is how I set up the Git Bash environment to log me in once when I start it up. I edit my ~/.bashrc file:
eval `ssh-agent`
ssh-add
So when I start Git Bash, it looks like:
Welcome to Git (version 1.7.8-preview20111206)
(etc)
Agent pid 3376
Enter passphrase for /c/Users/starmonkey/.ssh/id_dsa:
Identity added: /c/Users/starmonkey/.ssh/id_dsa (/c/Users/starmonkey/.ssh/id_dsa)
And now I can ssh to other servers without logging in every time.
This answer explains how to get the GitHub username and password to be stored permanently, not the SSH key passphrase.
In Windows, just run
$ git config --global credential.helper wincred
This means that the next time you push, you'll enter your username and password as usual, but they'll be saved in Windows credentials. You won't have to enter them again, after that.
As in, Push to GitHub without entering username and password every time (Git Bash on Windows).
I prefer not to have to type my SSH passphrase when opening new terminals; unfortunately starmonkey's solution requires the password to be typed in for every session. Instead, I have this in my .bash_profile file:
# Note: ~/.ssh/environment should not be used, as it
# already has a different purpose in SSH.
env=~/.ssh/agent.env
# Note: Don't bother checking SSH_AGENT_PID. It's not used
# by SSH itself, and it might even be incorrect
# (for example, when using agent-forwarding over SSH).
agent_is_running() {
if [ "$SSH_AUTH_SOCK" ]; then
# ssh-add returns:
# 0 = agent running, has keys
# 1 = agent running, no keys
# 2 = agent not running
ssh-add -l >/dev/null 2>&1 || [ $? -eq 1 ]
else
false
fi
}
agent_has_keys() {
ssh-add -l >/dev/null 2>&1
}
agent_load_env() {
. "$env" >/dev/null
}
agent_start() {
(umask 077; ssh-agent >"$env")
. "$env" >/dev/null
}
if ! agent_is_running; then
agent_load_env
fi
# If your keys are not stored in ~/.ssh/id_rsa or ~/.ssh/id_dsa, you'll need
# to paste the proper path after ssh-add
if ! agent_is_running; then
agent_start
ssh-add
elif ! agent_has_keys; then
ssh-add
fi
unset env
This will remember my passphrase for new terminal sessions as well; I only have to type it in once when I open my first terminal after booting.
I'd like to credit where I got this; it's a modification of somebody else's work, but I can't remember where it came from. Thanks anonymous author!
Update 2019-07-01: I don't think all this is necessary. I now consistently have this working by ensuring my .bash_profile file runs the ssh-agent:
eval $(ssh-agent)
Then I set up an ssh configuration file like this:
touch ~/.ssh/config
chmod 600 ~/.ssh/config
echo 'AddKeysToAgent yes' >> ~/.ssh/config
If I understand the question correctly, you're already using an authorized SSH key in the build service, but you want to avoid having to type the passphrase for every clone?
I can think of two ways of doing this:
If your build service is being started interactively: Before you start the build service, start ssh-agent with a sufficiently long timeout (-t option). Then use ssh-add (msysGit should have those) to add all the private keys you need before you start your build service. You'd still have to type out all the passphrases, but only once per service launch.
If you want to avoid having to type the passphrases out at all, you can always remove the passphrases from the SSH keys, as described in https://serverfault.com/questions/50775/how-do-i-change-my-private-key-passphrase, by setting an empty new passphrase. This should do away with the password prompt entirely, but it is even less secure than the previous option.
When I tried to push my code, I got the below error:
$ git push origin dev
remote: Too many invalid password attempts. Try logging in through the website with your password.
fatal: unable to access 'https://naushadqamar-1#bitbucket.org/xxxx/xxxx-api.git/': The requested URL returned error: 403
After a few hours of research, I found I need to use the below command:
$ git config --global credential.helper cache
After executing the above command, I got the prompt for entering my GitHub username and password. After providing the correct credentials, I am able to push my code.
The right solution is:
Run the Windows default terminal - cmd and get the directory of your master profile
echo %USERPROFILE%
Run Git Bash in the directory above and create the .bashrc file with the command
echo "" > .bashrc
Open the .bashrc file with your favourite text editor and paste code from GitHub Help into that file:
env=~/.ssh/agent.env
...
COPY WHOLE CODE FROM URL - I can't add it to Stack Overflow because it breaks layout... OMG!
Restart Git Bash and it asks you for your password (only first time) and done. No password bothering again.
You need to create the authorized_keys file under the .ssh folder of the user under which you are going to connect to the repository server. For example, assuming you use username buildservice on repo.server you can run:
cd ~buidservice
mkdir ./ssh
cat id_rsa.pub >> .ssh/authorized_keys
Then you have to check the following things:
That corresponding id_rsa private key is presented in builservice#build.server:~/.shh/id_rsa.
That fingerprint of repo.server is stored in the buildservice#build.server:~/.ssh/known_hosts file. Typically that will be done after the first attempt of ssh to connect to the repo.server.

Resources