This is the second a follow up post to the issue described in my previous post describing the issue with SSH keys being re-usable by anyone with privileged access on the SSH server. (Read more) This time the post is about a workaround to the issue on MacOS and in other words how to get KeePass and KeeAgent working on MacOS. Unfortunately KeePassX/KeePassXC the ports of KeePass that have MacOS native variants do not support plugins. So in order to get the KeeAgent plugin working, we need to run the Windows KeePass application using Mono.

Pre-requisites

  • Mono installed on your Mac. (Can be found at http://www.mono-project.com/download/)
  • A SSH private key in Putty format(.ppk) and the public key set on the SSH server authorized keys file.

Getting Ready

As mentioned previously we will be using the password manager called KeePass and it’s plugin called KeeAgent to store and present the SSH private key to putty. So lets get started.

  1. KeePass can be found at  https://keepass.info/ you need to download the portable version 2.xx (current version is 2.38) and unzip it.
  2. Install KeeAgent plugin which can be found at https://lechnology.com/software/keeagent/. Download it and unzip the file called KeeAgent.plgx to KeePass plugins directory – folder called plugins in the folder you unzipped.

Making KeePass run almost like a native app

To make KeePass a bit more comfortable to use, lets make it feel more like a native App. In order to do that do the following:

  • Make the App directory, by opening the terminal and inserting the following command:
mkdir -p/Applications/KeePass.app/Contents/MacOS
  • Move everything in the previously unzipped KeePass folder to /Applications/KeePass.app/Contents/MacOS
mv ~/Download/KeePass-2.38/* /Applications/KeePass.app/Contents/MacOS/
  • Create a shell script named KeePass in the same directory that will start up KeePass:
  • tee -a /Applications/KeePass.app/Contents/MacOS/KeePass << END
    #!/usr/bin/env bash
    /usr/local/bin/mono /Applications/KeePass.app/Contents/MacOS/KeePass.exe &
    END
  • Almost done, now you can start KeePass with a click of a button, but it isn’t ready yet to be used as a SSH key agent.

Getting the SSH key agent functionality working

Getting KeePass to work as an SSH key agent is a bit tricky, but nothing overwhelming. In order to do it you need to edit a few configuration files and add a script that would ask for confirmation. To achieve this it is necessary to disable System Integrity Protection(SIP) temporarily.

So as the first thing disable SIP temporarily by following the guidelines that can be found at https://www.imore.com/el-capitan-system-integrity-protection-helps-keep-malware-away.

After you log back in with SIP disabled you now should be able to add the ssh-ask-pass script to your system. To do that add the following text in to copy/paste the following text in to a file using your favourite text editor and save it on to your desktop to a file called ssh-askpass:

#!/bin/bash

# Script: ssh-askpass

# Author: Mark Carver# Created: 2011-09-14

# Licensed under GPL 3.0

# A ssh-askpass command for Mac OS X

# Based from author: Joseph Mocker, Sun Microsystems

# http://blogs.oracle.com/mock/entry/and_now_chicken_of_the 

# To use this script:

#   Install this script running INSTALL as root

# If you plan on manually installing this script, please note that you will have

# to set the following variable for SSH to recognize where the script is located:

#   export SSH_ASKPASS="/path/to/ssh-askpass" 

TITLE="${SSH_ASKPASS_TITLE:-SSH}";

TEXT="$(whoami)'s password:";

IFS=$(printf "\n");

CODE=("on GetCurrentApp()");

CODE=(${CODE[*]} "tell application \"System Events\" to get short name of first process whose frontmost is true");

CODE=(${CODE[*]} "end GetCurrentApp");

CODE=(${CODE[*]} "tell application GetCurrentApp()");

CODE=(${CODE[*]} "activate");

CODE=(${CODE[*]} "display dialog \"${@:-$TEXT}\" default answer \"\" with title \"${TITLE}\" with icon caution with hidden answer");

CODE=(${CODE[*]} "text returned of result");

CODE=(${CODE[*]} "end tell");

SCRIPT="/usr/bin/osascript"

for LINE in ${CODE[*]}; do

    SCRIPT="${SCRIPT} -e $(printf "%q" "${LINE}")";

done;

eval "${SCRIPT}";

After saving the script move it to/usr/X11R6/bin/ssh-askpass and set its permissions. The target folder usually doesn’t exist by default and you need to create it. To achieve the aforementioned tasks do the following in the terminal:

sudo mdkir -p /usr/X11R6/bin/
sudo mv ~/Desktop/ssh-askpass /usr/X11R6/bin/ssh-askpass
sudo chown -R root:wheel /usr/X11R6
chmod a+rx /usr/X11R6/bin/ssh-askpass

Now you can re-enable SIP.

Starting KeePass for the first time

Now you can test it out by starting KeepAss, be aware that the first time loading KeePass in mono can be really slow. Next follow the same steps as were in Windows , they can be found in the KeePass Windows article here.
Now if you have your KeePass ready for use try it out in terminal by connecting to your desired host via ssh by simply issuing the “ssh username@host” command.