SSHKeychain Warning
Well I hate eating crow, but it turns out that (surprise) SSHKeychain isn’t quite the panacea I made it out to be. Shortly after my post where I gush about it, Eric Warnke, one of the developers emails me with a warning about a couple of serious security issues he’s found in the current version of SSHKeychain (0.8.1). Both have workarounds, which I’ll summarize here, but please see his email post for full details.
UPDATE 25-Aug-2007: Version 0.8.2 has been released to address both of these issues. Tunneling of low ports has been disabled until a proper fix can be made.
The first issue is that it’s apparently quite trivial to coax the passwords that have been stored in the Apple Keychain out of SSHKeychain. The work around is to not store any SSH passwords in your Keychain. Period. And if you’ve already used the Keychain for SSH passwords, remove them. ASAP.
The second issue is a root privilege escalation. By default, SSHKeychain comes with a SUID root helper app to allow tunneling over ports less than 1024. The workaround is to remove the SUID privilege with the following command:
sudo chmod 755 /Applications/SSHKeychain.app/Contents/Resources/TunnelRunner
Of course, you will not be able to tunnel ports less than 1024, but I’m guessing that 99% of the users won’t care. I know I don’t.
I have to say my whole email conversation with Eric wasn’t exactly confidence inspiring. Hopefully, there will be an official release to address these two issues soon. And it seems that Eric is on his way to auditing and cleaning up the code. He’s a new developer on the project, and from my brief interaction with him, he seems to know what he’s doing.
In the meantime, tread carefully. There is no alternative SSH agent application for Mac OS X that I know of. If you’re truly paranoid, you may want to use ssh-agent
directly, which is a pain, or just bite the bullet and enter your passphrase every time. I still have high hopes for SSHKeychain. Maybe a little public thrashing will make sure the developers stay focused on security, as well as adding new features.
UPDATE 25-Aug-2007:I’m sorry I said there were no alternatives to SSHKeychain. I meant to say that there were no GUI alternatives that worked as well as SSHKeychain. There is another GUI application called SSH Agent which some people like. I used it before I found SSHKeychain, but it always prompts for a passphrase at login, which I don’t like. It also cannot remove keys based on system events, e.g. when I put the machine to sleep. There are plenty of other alternatives usually involving shell scripts of some sort. You may find that these work better for you. I’ll be sticking with SSHKeychain for now.