Filed under sysadmin

SSH Keys on a USB jump drive on Mac OS X Part 2

All right! You read my post SSH Keys on a USB jump drive on Mac OS X (Mountain Lion Edition) and want to take this to the next level huh? Maybe having your config posting back to a jump drive and having to have it plugged in every time you want to log into something is sooooo lame! You often just leave it there, plugged in when you walk away from your work station. There has to be a better way…

I got you bro

What you need to be doing is adding your keys to ssh-agent on demand then pulling your key except for when you REALLY need it. But how do you do that easily?

I got you bro

Windows

Lets start with the basics. PuTTY Download Page - Pageant

  • Download it.
  • Install it.
  • Yes you have to use their crappy ppk so set that up.
  • Start Pageant then load your ppk version of your key.
  • Eject drive.
  • open new session, don't bother manual adding key.
  • Party time
  • Excellent

The cool part is that Pageant remembers your keys so if you pin it to the start menu then it's highlight, over enter, password… you get the point.

The shitty part is it keeps that key loaded until you reboot. That's ULTRA fucking weak. Sorry windows. If anyone knows better give me a shout out.

Linux

Linux is easier and way better. Lets assume you do everything in the command line so.

alias loadkey=ssh-add -t 30m /mnt/whatever/ssh/$1

then all you have to do is

loadkey keyname

then POW!!! for 30 minutes you have you key loaded. See the 30m in the command? Change that for maximum moddage of commands. Are you a lazy brogrammer slash skriptkiddie and need the time format table?

Bro… got… you are… by me

<none>  seconds
s | S   seconds
m | M   minutes
h | H   hours
d | D   days
w | W   weeks

Time format examples:
600     600 seconds (10 minutes)
10m     10 minutes
1h30m   1 hour 30 minutes (90 minutes)

Damn! Yea….

Mac

Ok, this is where the gold is. I slaved over a hot mess of applescript to you guys this so feel the love bro. Since it's my Mac and I wanted key exchange to be as easy as possible I pulled out all my scripting to invoke MAXIMUM lazy.

Maximum lazy engage!

Ok. To start there is no ssh-askpass on Mac OS X Mountain Lion which is fairly un-bro of apple but whatever. I replaced it with an applescript I stole and slightly tweaked to run better.

Take this, it's dangerous to go alone. onlyhavecans/mac-ssh-askpass · GitHub

Just put it in ~/Applications like me or /usr/local/bin or where ever makes you warmest and fuzziest inside. Either way don't forget where you put our makeshift ssh-askpass

Now break out the applescript editor and take this puppy for a ride.

(*
This key adding mini program indexes the keyfiles on your jump drive
then prompts you for what one you want to load into ssh-agent

You need mac-ssh-addpass for this to work as well
https://github.com/onlyhavecans/mac-ssh-askpass
*)

property keyFolder : "KEYDRIVE:ssh"
property askPass : "$HOME/Applications/ssh-askpass"
property keyTime : "1h"

tell application "System Events"
  set theList to the name of every item of folder keyFolder
  set theKeys to {}
  repeat with i from 1 to the count of theList
    set theFile to {item i of theList}
    if (theFile as string) ends with "pem" or (theFile as string) ends with "_dsa" or (theFile as string) ends with "_rsa" then
      set end of theKeys to theFile
    end if
  end repeat

  set frontApp to short name of first process whose frontmost is true
  tell application frontApp
    activate
    set theKey to choose from list theKeys with title "Choose your Destiny" with prompt "What Key do you want to activate for " & keyTime default items {first item of theKeys} without empty selection allowed and multiple selections allowed
  end tell

  do shell script "SSH_ASKPASS=" & askPass & " /usr/bin/ssh-add -t " & keyTime & " \"" & {POSIX path of folder keyFolder} & "/" & theKey & "\""
end tell

Now pay attention or this will hurt.

The keyFolder property is in Apple's format because it just worked better that way. It needs to point to the folder that has all your key files. The format is drive:folder:subfolder:youget:theidea. Now make sure to set that and the location of our new ask-pass. Also because I was a lazy scripter the filter is hardcoded. If your key files end in anything other than .pem, _rsa, or _dsa you are perfectly legit but I hate you anyways and you will need to edit the nasty (theFile as string) ends with blah line.

Now... toss this applescript in your scripts folder and set the hotkey ctrl-opt-k in FastScripts and if you don't have it then shut up and go buy it in thanks from having this awesomeness rained down upon you… or put it in Alfred App... whatever bro; the point is you should be running all your shell and applescripts from the keyboard so do it.

Now hit that key command and watch the awesome of the menu box you can arrow through! Select your key of the minute and hit enter! Be amazed at the applescript password prompt.

Feel amazing bro. Feel amazing.

Note for those who are curious.

The applescripts are hooking off the frontmost application. IE it's telling whatever app is in front to activate1 and then display the dialogs for the scripts. So don't bug out because the icon displayed is some "random seeming" app on your system. I do this so that the box is always to front so it can be keyboard operated and drops you right back into your front most app without fuzzing off the focus elsewhere or in some truly random app of my choosing like Finder.

I'll probably put this in my GitHub later, or forget and leave it as a blog exclusive so enjoy.


  1. I had some weird edge case focus issues and making sure to activate before springing the next dialog box smoothed it all out. Sorry if that has any weirds, it really shouldn't 

Tagged

Update to my Transmission Tools

Nope, not something to help unmount and flush your transmissions, it's some tools for Transmission, specifically MY tools.

I just though I would share that I redid this repository completely and cleaned up the Move & Stop script to cover some possible bugs and be a bit more python modern. If you had any problems with it not moving single files or just wanted some slightly cleaner code go grab the new version.

I should really break out TransmissionRequestWrapper into it's own package and distribute that since it's so sweet. Please feel free to use it with some credit.

onlyhavecans/Transmission_Tools · GitHub

Tagged , ,

SSH Keys on a USB jump drive on Mac OS X (Mountain Lion Edition)

Here I address the eternal struggle.

I want to store all my private keys on my jump drive I wear around everywhere. I use Win, Linux, but primarily Macs to do to my work so it needs to be some FAT variant formatted. I want to use the absolutely least hacky way.

Windows and Linux were easy to overcome. In short for windows you use putty to make a putty key and in linux you do something shockingly similar to what is below… but I get ahead of myself.

All the searches in duck duck go and google came up with "Nope! Can't do it! Give up!" for the Mac. All these people are horrible liars and don't want you to succeed. After figuring this out it was REALLY EASY as long as you are terminal competent. If you aren't terminal competent I'm not sure why you read my blog, I'd assume most of my stuff is really flying over your head.

As always YMMV and don't copy paste things I write here into the terminal.

tl;dr jump point

  1. Find your uid with "id -u". 99% of the time it's 501.
  2. Double check your drive name with "ls -ln /Volumes".
  3. with sudo add a new line to /etc/fstab1
    #Drive called iamaKey and user 501
    LABEL=iamaKey none msdos -u=501,-m=700
    

There is no step 4; eject & replug your key to enjoy ssh keys used directly from drive.

Considerations

  • You have to do this on every mac you use. The drive name is always the same but there is a chance the user id is different.

  • If you aren't sure if it worked or are having trouble give another "ls -ln /Volumes" which should look shockingly similar to this if you did it right:

    lrwxr-xr-x  1 0    80     1 Feb 25 07:01 Macintosh HD -> /
    drwx------  1 501  20  8192 Feb 25 10:17 iamaKey
    
  • You should REALLY make sure this drive name is unique to this drive for your machine. Any drive with the same name will get grabbed up by this now and if it's not msdos formatted or you don't want this havoc can be had.

  • In a multi-user environment this could likely cause weird edge case problems unless you are using very unique drive names.

  • I'm really sure putting spaces in your drive name will only wreck havoc. However you would assume that having lowercase letters in it would also fail hard but as you can see it works fine for me.

  • if you wanna be really cool then set up your config file on the jump drive as well and then alias keyssh to 'ssh -F /path/to/usb/config' Then that can ALL follow you around, except for on linux since it would mount on media or whatever instead of /Volumes breaking all your paths in the config but then you can just create a symlink anyways and it will work again… or something like that.

  • While not the point of this article yet your OpenPGP, GnuPG, GPG whateverPG, etc keys should also be WAY happier now placed on the jump drive. I believe they also hate being world readable.

  • This may not work in 10.9 or 11 or whatever comes next. The file /etc/fstab.hd says this is on the deprecation list. If Apple does break this down the road and you are reading this from the future the trick is to go looking wherever diskarbitrationd or it's successor is getting it's settings.

  • Final note, if you are going to do all this PLEASE don't use password-less keys. Just don't do it. Especially if you put your config file on the drive too. Then you are just telling people what systems they now have access too. Each key on the drive should have a strong & long passphrase, have it's comment clearly marked as being the jump dive key (on the machines they key is loaded), and should be unique to that jump drive only so it can be easily purged and reissued in case of loss.


  1. On a new 10.8 machine /etc/fstab does not exist. You must create a fresh file as root. 

Tagged