Encrypted keys and Keychain on Mac

[shcheklein]

I hit the "Permissions denied" problem on Mac recently. My config was:

(.venv) √ build/example-get-started % cat ~/.ssh/config
Host *
    UseKeychain yes

Passphrase was saved with ssh -K ~/.ssh/id_rsa for the default key.

With this setup, key is being ignored (while it's working fine with ssh, git, etc).

I had to also add key to the agent with ssh -A ... That helped and works fine.

Question: should it be addressed, how do ssh, git fetch keys from the Keychain?

[ronf]

As far as I know, keychain integration on the Mac is something is handled as a custom patch, in both the closed-source version that Apple ships and possibly as a patch provided by MacPorts. The details of how it works aren't publicly documented, though, and while I think Apple did release a patch under the BSD license, the changes are quite extensive so it may be difficult for any other SSH implementations to port and maintain, especially as Apple evolves the keychain internals.

In a quick search, I found https://github.com/jpouellet/MacPorts/blob/master/net/openssh/files/0002-Apple-keychain-integration-other-changes.patch, which is an 11,000+ line diff. That's not something I would be comfortable trying to port.

If you've got things working with ssh-agent, that's probably your best option for sharing keys between OpenSSH and AsyncSSH without having to provide a password.

As for things working with git, I believe that may be using OpenSSH when SSH is requested, so any patches to OpenSSH are automatically picked up.

[efiop]

@ronf , thank you for a great answer, as always 🙏

Just wanted to clarify: you said you would not be comfortable trying to port it yourself, but you are not against the port in general, right? So if someone else would contribute a PR, you would consider it? Not saying I'm going to contribute it any time soon (not even 100% sure this makes sense), just wanted to clarify your theoretical stance on this, that's all 🙂

[ronf]

It isn't just porting -- the code would also need to be maintained.

Looking more closely, I think MacPorts might have dropped support for this patch back in 2020 -- see macports/macports-ports#9451. That also mentions that homebrew dropped their support for this patch back in 2016. Checking my local MacPorts version of OpenSSH, the "UseKeychain" option no longer shows up in the man page. It's still available in Apple's ssh binaries, but not if you get ssh from MacPorts or homebrew or build it yourself from original source.

Given the availability of the ssh-agent solution, I don't think it would make sense for anyone to try to build a Python version of this for AsyncSSH.

[efiop]

@ronf Makes sense. Thank you for clarifying!