[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rsync w/ssh



On Thu, Nov 16, 2000 at 07:08:12PM -0800, kmself@ix.netcom.com wrote:
> on Thu, Nov 16, 2000 at 11:21:47AM -0700, Gary Hennigan (glhenni@sandia.gov) wrote:
> > "Gary Hennigan" <glhenni@sandia.gov> writes:
> > 
> > Forgot 4) Run ssh-add at the beginning of your login session.
> 
> Ok, can someone wap me with a cluestick here?  What's ssh-add do?  I
> took a quick look at the manpage, but it's not immediately evident.  Is
> it in any way analogous to, say, 'sudo -v', which will enable (or
> update) the sudo timestamp to allow passwordless access to priviledged
> commands?

not really, ssh-add works in conjunction with ssh-agent, basically
what you do is this:

run ssh-agent bash which creates a unix domain socket at
/tmp/ssh-garbage/agent.PID  and puts this path into the SSH_AUTH_SOCK
environment variable of the shell it runs.  

ssh-add reads a ssh private key and asks you for the passphrase, when
you give the passphrase it stores a decrypted copy of the key in
ssh-agents memory and its then available via the socket in /tmp (it
might be the passphrase rather the key im not sure) 

when you run ssh it notices the SSH_AUTH_SOCK variable and reads the
key from the socket and asks the server if the key can be used for
authentication (by sending the comment string) if so the server
encrypts a random token with the public key found on the remote
authorized_keys file and sends it, the local ssh uses the key read
from the socket to decrypt and send the token back so the server knows
you must be have the secret half of the public key.  (regular RSA
auth) 

for scripts you can do one of two things:

run ssh -i /where/ever/.ssh/identity hostname with a passwordless
keyfile or create a shell script like so:

#! /usr/bin/ssh-agent /bin/sh

ssh-add /where/ever/.ssh/identity < /dev/null > /dev/null 2>&1

however you still need a passwordless key since ssh-add needs to ask
the passphrase if one is required.  the ssh-agent shell script trick
is useful for things like dump which runs ssh in its own way that you
cannot control (you can't add the -i switch) 

ssh-agent is mostly useful for replicating the old rsh .rhosts
passwordless access to various hosts, only doing it much more
securely.  you run ssh-agent, add your key[s] and never have to enter
passwords or passphrases again until you end the session.  scp is
unusable without ssh-agent IMO.  

debian's Xsession runs ssh-agent automatically so all you need to do
to enable it is add:

export SSH_ASKPASS=/usr/bin/ssh-askpass
[ -n "$SSH_AUTH_SOCK" ] && chmod 600 "$SSH_AUTH_SOCK"
sleep 4 && /usr/bin/ssh-add ~/.ssh/identity &

to your ~/.xsession this puts up a graphical password dialog to ask
the passphrase.  

the chmod hack i also put in my .bashrc since ssh-agent creates the
socket with permissions masked against your umask which can leave it
world readable, it only makes sure to create the directory mode 700.
i think both files should be protected.  relying on `gate' directories
is not safe IMO.  

note that ssh-agent does give root a very easy way to gain access to
your ssh keys, so don't use it unless you totally trust root (though
root can do other things to get your key, such as trojaning ssh) with
ssh-agent all root need to is:

# SSH_AUTH_SOCK=/tmp/ssh-random/agent.pid ssh hostname

where ssh-random is the ssh agent directory you own.  

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpg5Xj9pWLgY.pgp
Description: PGP signature


Reply to: