[LaGrange]

I mostly agree, with one exception: "SSH keys and agent configuration are automatically picked up, so access to remotes over SSH ‘just works’"

Um, no. If there's one thing that's more private than my address book, it's my ssh keys. The fact that they aren't available to your application by default is a feature. If you need a key, ask me for it. If I want to give you the access, I'll do that.

[zdw]

Under OS X, the Mac Keychain framework hooks into ssh-agent, so you don't have to retype your private key passphrase over and over, just once per session.

There are other tools that do similar in other OS's, for example the "keychain" script in Debian. This isn't something weird IMO.

[LaGrange]

That would actually be (GUI, it doesn't work like this actually, I think, but what I want would look the same) ideal: you don't get my ssh key. You get an ssh session arranged for by the keychain. Too bad it's probably too much work for something not enough people use (and those who use it are generally security-conscious enough to avoid malware on their own).

[calloc]

If you call `ssh` on the command line it will use Keychain to unlock your private SSH key.

That part is done. The application shouldn't be asking for SSH keys, it is completed already. Just use `ssh` as you would before.

[jackalope]

And if you type 'ssh-add' you'll only have to enter your passphrase once. I think this all got sorted out beginning with Leopard; before that, it may not have worked as expected (compared to other *NIX environments).

[__david__]

ssh-agent has shipped from the very beginning (that's part of the ssh distribution). The only thing that was different was that it wasn't bridged to the system keychain until recently. Or more accurately, the system keychain now runs its own version of ssh-agent automatically.

[LaGrange]

Yeah, I just checked up on the man page, and the agent actually works the way I'd want it to. So it's just a question if a sandboxed app has access to the agent.