[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: creative ssh-agent uses

Dear Ratiu,

I am not sure I understand your situation, but maybe this can help?

When creating an ssh-key using ssh-keygen, it prompts you for a
passphrase.  It isn't so obvious, but you can simply hit return at that
point to have "no passphrase".  This means that the resulting key
is unencrypted on your hard drive, so you have to rely
on unix (chmod) permissions to protect it from being
copied by unauthorized people.  As long as you just press enter when
asked for a passphrase from ssh-keygen, this will ensure that using
that key with ssh-agent and ssh-add will not prompt you for
a passphrase.  This is one way to use ssh-agent with a script
noninteractively.  Just eval `ssh-agent`, ssh-add the unencrypted key,
then do the ssh commands all without a passphrase prompt.

I hope this information is useful to you.  Best regards,

Give AI a try with Data Compression using http://complearn.org/ today!
Ratiu Petru wrote:
> On Thu, 07 Dec 2006, Stefan Denker wrote:
> > On Mon, Dec 04, 2006 at 09:25:38PM +0200, Ratiu Petru wrote:
> > > What I'm thinking is to provide a static string as a challenge and use the
> > > response as the cryptodevice password, but I can't find a program that
> > > allows me to manipulate the socket this way. This mechanism might also be
> > > used for other purposes, stacking public key authentication in a "normal"
> > > password-based login.
> >
> > I do not think this is a good idea. If the challenge is static, the
> > response will be, too. Then you might be vulnerable to replay-Attacks.
> >
> I perfectly understand. However, I _need_ a static password for cryptsetup,
> i just wanted to make it somehow dependent of the agent to skip prompting
> for it in the backup script. I am aware of the fact that someone who knows
> the password can mount the cryptsetup directly, I can't improve that.
> I found somewhere a script that was supposed to use ssh-agent like I wanted
> to (encrypt stuff through it), but all it did was to crash my agent :)
> The gpg-agent is a nice idea too, but we already have an existing ssh
> infrastructure and not all guys involved have gpg keys, so I'm trying to
> avoid that if possible.
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: