OpenSSH, ECDSA, and OS X

I’ve been wanting to play with ECDSA ssh keys for a while (If memory serves, it became available in early 2011).

I hoped that 10.7 (Lion) would support it (the man pages confused things because they talk about generating and using ECDSA keys, but the utilities don’t actually do it). Then I hoped that 10.8 (Mountain Lion) would support. I finally gave up and installed my own version of OpenSSH through Homebrew . After a bit of googling, and some trial and error, here are the steps I arrived at successfully.

Homebrew dupes

We need to add the dupes tap to Homebrew. This is essentially an extra repo, but all the recipes in it, duplicate things that are installed by default in the system.

1brew tap homebrew/dupes

Compile/install OpenSSH

We also want to bring in a new OpenSSL with extra optimizations, which is easy with Homebrew. As a last bit to this step, we will ensure that the new ssh-agent is launchd and keychain compatible.

1brew install openssh --with-brewed-openssl --with-keychain-support

Tweaking launchd

We need to fix the launchd plist if we want to use the new agent (which we do, because how else would you manage all your ssh keys?). The overview is to simply replace ‘/usr/bin/ssh-agent’ with ‘/usr/local/bin/ssh-agent’.

1	launchctl stop org.openbsd.ssh-agent
2	launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
3	sudo vi /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
4	launchctl load -w -S Aqua /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist

Updating the environment

The SSH_AUTH_SOCK environment variable needs to be updated for new or existing terminal sessions. The slacker way is to logout or restart. Just export the variable, or setenv if you (t)csh. (ba,z)sh:

1	export SSH_AUTH_SOCK=$(launchctl getenv SSH_AUTH_SOCK)


1	setenv SSH_AUTH_SOCK "`launchctl getenv SSH_AUTH_SOCK"

Generating an ECDSA key

Now we can finally generate our ECDSA key and add your new key to your ssh-agent(1)

 1[louisk@iPwn louisk ]$ ssh-keygen -t ecdsa
 2Generating public/private ecdsa key pair.
 3Enter file in which to save the key (/Users/louisk/.ssh/id_ecdsa): 
 4Enter passphrase (empty for no passphrase):
 5Enter same passphrase again:
 6Your identification has been saved in /Users/louisk/.ssh/id_ecdsa.
 7Your public key has been saved in /Users/louisk/.ssh/
 8The key fingerprint is:
 9b5:06:56:e9:0b:c0:ce:21:6c:2b:f3:88:19:df:bc:61 louisk@iPwn
10The key's randomart image is:
11+---[ECDSA 256]---+
12|   . .    ..     |
13|    + +  ..      |
14|   . = oo..      |
15|. o . o..o..     |
16| = B    S.o.     |
17|o o E    ..      |
18|   . o           |
19|    .            |
20|                 |
22[louisk@iPwn louisk ]$
1[louisk@iPwn louisk ]$ ssh-add .ssh/id_ecdsa
2Enter passphrase for .ssh/id_ecdsa:
3Identity added: .ssh/id_ecdsa (.ssh/id_ecdsa)
4[louisk@iPwn louisk ]$ ssh-add -l
5521 b3:0c:26:1a:58:23:87:5c:fc:b0:db:51:9a:92:55:ae .ssh/id_ecdsa (ECDSA)
6[louisk@iPwn louisk ]$

Testing the key

Don’t forget to copy your new key (by default: to your ~/.ssh/authorized_keys on your remote hosts. You should now be able to login to a host using an ECDSA key exchange. Evidence of success can be seen by looking at the verbose output from ssh (logging in to a Juniper switch).

 1	[louisk@mpro louisk 177 ]$ ssh -v
 2	OpenSSH_6.4, OpenSSL 1.0.1f 6 Jan 2014
 3	debug1: Reading configuration data /Users/louisk/.ssh/config
 4	debug1: /Users/louisk/.ssh/config line 59: Applying options for *
 5	debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
 6	debug1: Connecting to [] port 22.
 7	debug1: Connection established.
 8	debug1: identity file /Users/louisk/.ssh/id_ecdsa type 3
 9	debug1: identity file /Users/louisk/.ssh/id_ecdsa-cert type -1
10	debug1: Enabling compatibility mode for protocol 2.0
11	debug1: Local version string SSH-2.0-OpenSSH_6.4
12	debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1
13	debug1: match: OpenSSH_6.1 pat OpenSSH*
14	debug1: SSH2_MSG_KEXINIT sent
15	debug1: SSH2_MSG_KEXINIT received
16	debug1: kex: server->client aes128-ctr hmac-md5 none
17	debug1: kex: client->server aes128-ctr hmac-md5 none
18	debug1: sending SSH2_MSG_KEX_ECDH_INIT
19	debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
20	debug1: Server host key: ECDSA 2e:5a:65:f0:bc:42:d2:22:e6:7d:71:65:0c:4f:b0:06
21	debug1: Host '' is known and matches the ECDSA host key.
22	debug1: Found key in /Users/louisk/.ssh/known_hosts:196
23	debug1: ssh_ecdsa_verify: signature correct
24	debug1: SSH2_MSG_NEWKEYS sent
25	debug1: expecting SSH2_MSG_NEWKEYS
26	debug1: SSH2_MSG_NEWKEYS received
27	debug1: Roaming not allowed by server
28	debug1: SSH2_MSG_SERVICE_REQUEST sent
29	debug1: SSH2_MSG_SERVICE_ACCEPT received
30	debug1: Authentications that can continue: publickey,password,keyboard-interactive
31	debug1: Next authentication method: publickey
32	debug1: Offering ECDSA public key: /Users/louisk/.ssh/id_ecdsa
33	debug1: Server accepts key: pkalg ecdsa-sha2-nistp521 blen 172
34	debug1: Authentication succeeded (publickey).
35	Authenticated to ([]:22).
36	debug1: channel 0: new [client-session]
37	debug1: Requesting
38	debug1: Entering interactive session.
39	debug1: Requesting authentication agent forwarding.
40	--- JUNOS 13.2X50-D15.3 built 2013-09-22 23:13:21 UTC
41	{master:0}
42	louisk@switch0.cmhome> exit
44	debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
45	debug1: client_input_channel_req: channel 0 rtype reply 0
46	debug1: channel 0: free: client-session, nchannels 1
47	Connection to closed.
48	Transferred: sent 3416, received 2240 bytes, in 7.2 seconds
49	Bytes per second: sent 473.1, received 310.2
50	debug1: Exit status 0
51	[louisk@mpro louisk 178 ]$

Its probably worth noting that if you don’t put “/usr/local/bin” ahead of “/usr/bin” in your shell “$PATH”, things won’t work the way you want. All you have to do is add “/usr/local/bin” first, then everything works fine.

Update for Yosemite

UPDATE: This works fine with OS X Yosemite 10.10

Update for El Capitan

UPDATE: In order to make the plist changes, you will need to disable rootless. Please see this article on rootless and boot-args .

ssh-agent (from homebrew) is not working currently. This may (or may not) get fixed for the release.