creative ssh-agent uses
It all started when i wanted to use a encrypted filesystem for my personal
backups: I have a script that I run after I log in to the backup server, it
asks me the passphrase for the encrypted storage, mounts it, and begins the
rsync-over-ssh backup script which connects back to my workstation, all
thanks to ssh-agent.
I'd like to skip the "enter the crypto password" bit. Can it not be done
with ssh-agent too? Cryptsetup can read the key from stdin, so all it's left
is to provide something that identifies me as the owner of the forwarded
ssh-agent and the backup session.
According to what I read until now, authentication works by sending some
random challenge to ssh-agent via the SSH_AUTH_SOCK socket, reading the
response and applying the public key to it to verify it. Unfortunately, all
this is done internally by sshd (if i'm not mistaken), with no way to
control or see the challenge or the response.
What I'm thinking is to provide a static string as a challenge and use the
response as the cryptodevice password, but I can't find a program that
allows me to manipulate the socket this way. This mechanism might also be
used for other purposes, stacking public key authentication in a "normal"
password-based login.
I guess I am either missing an obvious security flaw to this, or it's
unnecessarily complicated, because it seems there's no way to do this via
standard programs. Of course, I might have just missed it ;-) Please help me
shed some light on this.
Reply to: