How do I ensure that the Mac OS X Terminal asks me for my private-key’s password every time I SSH?

How do I ensure that the Mac OS X Terminal asks me for my private-key’s password every time I SSH? The only time the Mac OS X Terminal seems to ask for my identity file’s password, is when I restart. I’m fairly paranoid, and this seems insecure; how can I ensure it asks for the password every time I attempt to use the key?
Asked by: Guest \| Views: 352

Total answers/comments: 2

Comments display order:

bert [Entry]

The ssh-agent stores these for the lifetime of a session (see the ssh-agent options via 'man ssh-agent'). You can shorten the lifetime of a key added to the agent with 'ssh-agent -t 1' but the ss-agent is started by launchd at system startup. Here is a thread which describes how to deal with the problem: apple-discussion .

bert [Entry]

"You can set the default (login) keychain to lock on sleep or after a timeout, which also seems to flush the SSH agent.

Open Keychain Access and right-click the login keychain to change settings (I guess you'll want a shorter timeout than me):

Or if you prefer a commandline:

security set-keychain-settings -lu -t 1 # for a 1 second timeout

I was using the org.openbsd.ssh-agent.plist change you've mentioned in the comments, but on El Cap you need to disable System Integrity Protection to do that, which I wasn't crazy about. My solution requires an extra prompt to unlock, but it's the cleanest option I've found so far."