Apple - Make my password protected SSH key expire or timeout after a while

Note: in newer versions of OS X you must disable System Integrity Protection for this answer to work. (Thanks to @Dave Gregory and @Jaap for pointing this out.)

Open /System/Library/LaunchAgents/com.openssh.ssh-agent.plist (in older versions: org.openbsd.ssh-agent.plist) in a text editor. Replace:

<key>ProgramArguments</key>
<array>
    <string>/usr/bin/ssh-agent</string>
    <string>-l</string>
</array>

with:

<key>ProgramArguments</key>
<array>
    <string>/usr/bin/ssh-agent</string>
    <string>-l</string>
    <string>-t</string>
    <string>30m</string>
</array>

This will expire the key after 30 minutes.

Reboot. Wait, reboot?!? This isn't Windows! Yes, reboot.

Well, you can try to decipher the instructions for changing the setting on the fly, but good luck.


You need to set the life of the key. It ordinarily defaults to forever.

When you run ssh-add you want to use the -t option. If you want a key life of one hour then it is ssh-add -t 1h. The time formats can be seen in the sshd_config man page but put simply they are a number followed by s, m, h, d, or w for seconds, minutes, hours, days or weeks.

ssh-add can be put into your .bashrc file and it will just ask you to validate the key once. Even when the key "expires" it isn't removed - it just asks for the passphrase again when an attempt is made to use it.

The other option would be to alter the launch options for ssh-agent which are stored in /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist and add the -t there. (I use LaunchControl for changing these but you can do it by hand if you are careful.)


Rather than tweaking ssh-agent (which now requires silly amounts of hacking), I strongly recommend simply changing the settings on your default (login) keychain. I use the very helpful 'lock on sleep' as well as 'lock after 4 hours' because I don't want prompts unless I'm actually afk.

Open Keychain Access and right-click the login keychain to change settings: Keychain Security Settings

Or if you prefer a commandline:

security set-keychain-settings -lu -t 14400

This will result in at least one extra prompt for unlocking the keychain itself (requiring your login password) as well as the prompt for whichever key you're trying to use... but it beats disabling System Integrity Protection IMO.