Category: macOS

Using KeePass and KeeAgent on MacOS to handle SSH keys

This is the second a follow up post to the issue described in my previous post describing the issue with SSH keys being re-usable by anyone with privileged access on the SSH server. (Read more) This time the post is about a workaround to the issue on MacOS and in other words how to get KeePass and KeeAgent working on MacOS. Unfortunately KeePassX/KeePassXC the ports of KeePass that have MacOS native variants do not support plugins. So in order to get the KeeAgent plugin working, we need to run the Windows KeePass application using Mono.

Pre-requisites

  • Mono installed on your Mac. (Can be found at http://www.mono-project.com/download/)
  • A SSH private key in Putty format(.ppk) and the public key set on the SSH server authorized keys file.

Getting Ready

As mentioned previously we will be using the password manager called KeePass and it’s plugin called KeeAgent to store and present the SSH private key to putty. So lets get started.

  1. KeePass can be found at  https://keepass.info/ you need to download the portable version 2.xx (current version is 2.38) and unzip it.
  2. Install KeeAgent plugin which can be found at https://lechnology.com/software/keeagent/. Download it and unzip the file called KeeAgent.plgx to KeePass plugins directory – folder called plugins in the folder you unzipped.

Making KeePass run almost like a native app

To make KeePass a bit more comfortable to use, lets make it feel more like a native App. In order to do that do the following:

  • Make the App directory, by opening the terminal and inserting the following command:
mkdir -p/Applications/KeePass.app/Contents/MacOS
  • Move everything in the previously unzipped KeePass folder to /Applications/KeePass.app/Contents/MacOS
mv ~/Download/KeePass-2.38/* /Applications/KeePass.app/Contents/MacOS/
  • Create a shell script named KeePass in the same directory that will start up KeePass:
  • tee -a /Applications/KeePass.app/Contents/MacOS/KeePass << END
    #!/usr/bin/env bash
    /usr/local/bin/mono /Applications/KeePass.app/Contents/MacOS/KeePass.exe &
    END
  • Almost done, now you can start KeePass with a click of a button, but it isn’t ready yet to be used as a SSH key agent.

Getting the SSH key agent functionality working

Getting KeePass to work as an SSH key agent is a bit tricky, but nothing overwhelming. In order to do it you need to edit a few configuration files and add a script that would ask for confirmation. To achieve this it is necessary to disable System Integrity Protection(SIP) temporarily.

So as the first thing disable SIP temporarily by following the guidelines that can be found at https://www.imore.com/el-capitan-system-integrity-protection-helps-keep-malware-away.

After you log back in with SIP disabled you now should be able to add the ssh-ask-pass script to your system. To do that add the following text in to copy/paste the following text in to a file using your favourite text editor and save it on to your desktop to a file called ssh-askpass:

#!/bin/bash

# Script: ssh-askpass

# Author: Mark Carver# Created: 2011-09-14

# Licensed under GPL 3.0

# A ssh-askpass command for Mac OS X

# Based from author: Joseph Mocker, Sun Microsystems

# http://blogs.oracle.com/mock/entry/and_now_chicken_of_the 

# To use this script:

#   Install this script running INSTALL as root

# If you plan on manually installing this script, please note that you will have

# to set the following variable for SSH to recognize where the script is located:

#   export SSH_ASKPASS="/path/to/ssh-askpass" 

TITLE="${SSH_ASKPASS_TITLE:-SSH}";

TEXT="$(whoami)'s password:";

IFS=$(printf "\n");

CODE=("on GetCurrentApp()");

CODE=(${CODE[*]} "tell application \"System Events\" to get short name of first process whose frontmost is true");

CODE=(${CODE[*]} "end GetCurrentApp");

CODE=(${CODE[*]} "tell application GetCurrentApp()");

CODE=(${CODE[*]} "activate");

CODE=(${CODE[*]} "display dialog \"${@:-$TEXT}\" default answer \"\" with title \"${TITLE}\" with icon caution with hidden answer");

CODE=(${CODE[*]} "text returned of result");

CODE=(${CODE[*]} "end tell");

SCRIPT="/usr/bin/osascript"

for LINE in ${CODE[*]}; do

    SCRIPT="${SCRIPT} -e $(printf "%q" "${LINE}")";

done;

eval "${SCRIPT}";

After saving the script move it to/usr/X11R6/bin/ssh-askpass and set its permissions. The target folder usually doesn’t exist by default and you need to create it. To achieve the aforementioned tasks do the following in the terminal:

sudo mdkir -p /usr/X11R6/bin/
sudo mv ~/Desktop/ssh-askpass /usr/X11R6/bin/ssh-askpass
sudo chown -R root:wheel /usr/X11R6
chmod a+rx /usr/X11R6/bin/ssh-askpass

Now you can re-enable SIP.

Starting KeePass for the first time

Now you can test it out by starting KeepAss, be aware that the first time loading KeePass in mono can be really slow. Next follow the same steps as were in Windows , they can be found in the KeePass Windows article here.
Now if you have your KeePass ready for use try it out in terminal by connecting to your desired host via ssh by simply issuing the “ssh username@host” command.

SSH key based authentication secure and convenient or is it?

SSH key based authentication secure and convenient or is it? Well that seems really obvious that it is secure and convenient no passwords to be guessed and changed all the time, or that can be guessed logging on to servers much faster. But when done improperly it isn’t that safe and secure as it would seem.

The issue

When logging on to SSH servers using authentication agent forwarding for convenience so you could jump hosts using the same key. See nothing wrong with it?  Still seems all good and  secure? Well not that secure any more, as soon as convenience of the authentication agent forwarding comes to play a little issue arrises that a lot of people do not think about. Namely the key you used to authenticate to the server is now accessible to others on the server, not in the sense that they could copy it, but they can use it to authenticate to other servers where your key would be valid and that are accessible from that server. Although it requires escalated privileges to get access to it, it is still a problem. So where is this key located? It goes to the /tmp/ folder. As the following is an example from my test machine:

huxx@lnx:~# ls -la /tmp/

total 10

drwxrwxrwt 10 root     root     3072 Feb  1 01:00 .

drwxr-xr-x 23 root     root     4096 Jun  2  2015 ..

drwx------  2 huxx     huxx     1024 Feb  1 00:36 ssh-DhNiAzWTEV
huxx@lnx:~# ls -la /tmp/ssh-DhNiAzWTEV

total 4

drwx------  2 huxx huxx 1024 Feb  1 00:36 .

drwxrwxrwt 10 root root 3072 Feb  1 01:01 ..

srwxr-xr-x  1 huxx huxx    0 Feb  1 00:36 agent.18922

Is there a solution for it?

So is there a solution for the afore mentioned issue? Well luckily  Yes there is. There are SSH key agents out there that actually ask for your permission first before allowing access to the private key. For Windows one such solution would be to use the KeeAgent plugin for the password manager called KeePass it allows to set a password/confirmation to be prompted for every time someone/something tries to access the private key. The same combination will also work on macOS with a bit of work by porting the Windows application using mono for Mac and adding ssh-askpass script to the system. The exact solutions will be shown in followup posts to come.

Edit:
Solution for Windows users described here: https://www.huxxit.com/index.php/2018/02/02/safer-ssh-key-usage-windows-just-using-putty-pageant/

macOS FDE user management

When using FDE (full disk encryption) on a mac you might want to limit the users that actually can decrypt the disk. If that is the case then you might find the following commands interesting:

1) List the users able to decrypt the disk:

sudo fdesetup list

2) Remove a users ability to decrypt:

sudo fdesetup remove -user user.name

3) Add the user the ability to decrypt:

sudo fdesetup add -usertoadd user.name