Repository files navigation

A macOS menubar agent that listens for screen lock and sleep eventsand then communicates with ssh-agent to unload keys from memory. Itcan also temporarily disable this functionality as requested by theuser.

Minimum version of macOS for the build is macOS 14.x/Sonoma.

Best practice is to unload your ssh keys from ssh-agent when you'renot actively using them or not at your computer. The problem is no oneremembers to do this themselves.

Long ago I used a tool called SSHKeyChain that filled in for ssh-agentbefore OS X had it well integrated. Besides asking you for your keywhen it was needed, it would remove the keys on certain events such asthe screen locking.

SSHKeyChain fell out of support and then a friend of mine wrote ablogpostand a user deamon calledssh_locker to fill in thatgap. I used ssh_locker for a long time and mademodifictions as timeschanged.

One issue is that bringing this to users who are new to ssh and/oraren't familiar with compiling on OS X and/or up to speed with puttingLaunchAgents in their Library, etc, etc, was problematic.Additionally, there have been some situations where I've wanted totemporarily disable the key unloading, which was not easy to do withthe background daemon version of ssh_locker. For these reasons a menubar application seemed like a good fit.

After giving an internal talk on ssh at my company earlier in theyear, I was inspired to finally turns this idea into reality.

When launched, supreSSHion registers itself as a listener for "screenis locked" and "workplace will sleep" events.

When it receives a lock event, it communicates to ssh-agent over itsunix socket asking ssh-agent to unload all known keys. It locates theunix socket by the SSH_AUTH_SOCK environmental variable. macOSautomatically creates that environmental variable when you log in.

If the key removal functionality is disabled lock events will nottrigger key removal. When the screen is locked and the expirationtime of the disable has been reached the keys will be removed.

When a sleep event is received, it will reactivate the key removal ifthe user had disabled the key unloading functionality.

You can addAddKeysToAgent yes to your ssh config. If your key isn'tloaded when ssh is invoked, ssh will prompt you for your key. (You mayalso want to specify your key usingIdentityFile /path/to/id.)

This doesn't work in all cases where you might use ssh, but 99.99% ofthe time I'm invoking ssh from a terminal and it works very well forme.

supreSSHion is distributed under the MIT free software license, andfreely available for inclusion in other projects.

App icon isForget by Gregor Cresnar from the NounProject. It islicensed underCreative CommonsCCBY.