Pawel Krupinski wrote:
[snip]
> I'm using ssh agent currently just to manage my keys
> and practically they are used only to provide me with
> SSO to other ssh based systems. Why not use these keys
> (or a separate ssh key pair) to protect passwords to
> things such as database?
TrueCrypt/dmcrypt volumes?
> To put it simple the way I see it is as follow. Your
> passwords (apart from your main ssh password) will be
> stored encrypted using your ssh public key. After
> logon, ssh-agent will be started and relevant key(s)
> added. When a script will require access to a
> password, it will:
> 1. Retrieve the data from somewhere (outside the
> scope);
> 2. Decrypt using the ssh utlity (ssh-decrypt(?)) -
> using ssh-agent or a file.
> 3. Provide credentials back to script. Or will create
> the establised connection to the database. Or
> …(anyway, I think it is outside the scope ;-)).
>
> The bit that cannot be done currently is number 2 -
> OpenSSH doesn't provide ssh-decrypt functionality, but
> it is relatively easy to change it - I've played with
> OpenSSH 4.4/4.4p1 and it took me one evening (sorry -
> it was my first approach to OpenSSH as a developer
> ;-)) and 50 lines of code to implement it (based on
> the ssh-add tool using ssh-agent for decryption). In
> my solution, ssh-decrypt tool sends encrypted secret
> to the ssh-agent, which decrypts it (without sending
> any keys to the ssh-decrypt tool) and sends back just
> an error information or the plaintext password.
[snip]
> If it is something of interest for you, I can do all
> the development and provide you with all the code.
Could you please email me the diff?
thx,
Jason.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
|