Re: creative ssh-agent uses

To: debian-security@lists.debian.org
Subject: Re: creative ssh-agent uses
From: "Rudi Cilibrasi" <cilibrar@gmail.com>
Date: 9 Dec 2006 00:44:54 -0800
Message-id: <[🔎] 1165653894.419859.160980@f1g2000cwa.googlegroups.com>
In-reply-to: <7ppso-78j-29@gated-at.bofh.it>
References: <[🔎] 20061204192538.GA29601@lsd.ro> <[🔎] 20061207090646.GA4638@daniel.ln.dn-kr.de> <[🔎] 20061207110906.GA15092@lsd.ro>

Dear Ratiu,

I am not sure I understand your situation, but maybe this can help?

When creating an ssh-key using ssh-keygen, it prompts you for a
passphrase.  It isn't so obvious, but you can simply hit return at that
point to have "no passphrase".  This means that the resulting key
is unencrypted on your hard drive, so you have to rely
on unix (chmod) permissions to protect it from being
copied by unauthorized people.  As long as you just press enter when
asked for a passphrase from ssh-keygen, this will ensure that using
that key with ssh-agent and ssh-add will not prompt you for
a passphrase.  This is one way to use ssh-agent with a script
noninteractively.  Just eval `ssh-agent`, ssh-add the unencrypted key,
then do the ssh commands all without a passphrase prompt.

I hope this information is useful to you.  Best regards,

Rudi
--
Give AI a try with Data Compression using http://complearn.org/ today!
Ratiu Petru wrote:
> On Thu, 07 Dec 2006, Stefan Denker wrote:
>
> > On Mon, Dec 04, 2006 at 09:25:38PM +0200, Ratiu Petru wrote:
> > > What I'm thinking is to provide a static string as a challenge and use the
> > > response as the cryptodevice password, but I can't find a program that
> > > allows me to manipulate the socket this way. This mechanism might also be
> > > used for other purposes, stacking public key authentication in a "normal"
> > > password-based login.
> >
> > I do not think this is a good idea. If the challenge is static, the
> > response will be, too. Then you might be vulnerable to replay-Attacks.
> >
> I perfectly understand. However, I _need_ a static password for cryptsetup,
> i just wanted to make it somehow dependent of the agent to skip prompting
> for it in the backup script. I am aware of the fact that someone who knows
> the password can mount the cryptsetup directly, I can't improve that.
>
> I found somewhere a script that was supposed to use ssh-agent like I wanted
> to (encrypt stuff through it), but all it did was to crash my agent :)
>
> The gpg-agent is a nice idea too, but we already have an existing ssh
> infrastructure and not all guys involved have gpg keys, so I'm trying to
> avoid that if possible.
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: creative ssh-agent uses
  - From: Brett Parker <iDunno@sommitrealweird.co.uk>
- Re: creative ssh-agent uses
  - From: Ratiu Petru <petre@lsd.ro>

References:
- creative ssh-agent uses
  - From: Ratiu Petru <petre@lsd.ro>
- Re: creative ssh-agent uses
  - From: Stefan Denker <Stefan@dn-kr.de>
- Re: creative ssh-agent uses
  - From: Ratiu Petru <petre@lsd.ro>

Prev by Date: Re: Bug#401969: please build using hunspell
Next by Date: Re: Bug#401969: please build using hunspell
Previous by thread: Re: creative ssh-agent uses
Next by thread: Re: creative ssh-agent uses
Index(es):
- Date
- Thread