Hi,
Not sure if you had time to go through the code.
Changes I did to OpenSSH are rather limited - OpenSSH
is written in such a way that I didn't have to change
communication channel between applications and
ssh-agent. Implementation of the ssh-decrypt was as
easy as establishing a new message, search the keys
and decrypting using the private key.
As I said it was just a very quick PoC, but if it is
of interest to OpenSSH, I can develop it correctly
over the next few days and have it up and ready on
Monday.
One question regarding the interface. As ssh-agent can
have multiple keys, what would be the best way to
determine which one to use ? Sending the public part?
Currently I'm trying out all keys and it is not the
best possible option...
Thanks,
pak76
--- Jason <openssh@lakedaemon.net> wrote:
> Pawel Krupinski wrote:
> [snip]
> > I'm using ssh agent currently just to manage my
> keys
> > and practically they are used only to provide me
> with
> > SSO to other ssh based systems. Why not use these
> keys
> > (or a separate ssh key pair) to protect passwords
> to
> > things such as database?
>
> TrueCrypt/dmcrypt volumes?
>
> > To put it simple the way I see it is as follow.
> Your
> > passwords (apart from your main ssh password) will
> be
> > stored encrypted using your ssh public key. After
> > logon, ssh-agent will be started and relevant
> key(s)
> > added. When a script will require access to a
> > password, it will:
> > 1. Retrieve the data from somewhere (outside the
> > scope);
> > 2. Decrypt using the ssh utlity (ssh-decrypt(?)) -
> > using ssh-agent or a file.
> > 3. Provide credentials back to script. Or will
> create
> > the establised connection to the database. Or
> > ?(anyway, I think it is outside the scope ;-)).
> >
> > The bit that cannot be done currently is number 2
> -
> > OpenSSH doesn't provide ssh-decrypt functionality,
> but
> > it is relatively easy to change it - I've played
> with
> > OpenSSH 4.4/4.4p1 and it took me one evening
> (sorry -
> > it was my first approach to OpenSSH as a developer
> > ;-)) and 50 lines of code to implement it (based
> on
> > the ssh-add tool using ssh-agent for decryption).
> In
> > my solution, ssh-decrypt tool sends encrypted
> secret
> > to the ssh-agent, which decrypts it (without
> sending
> > any keys to the ssh-decrypt tool) and sends back
> just
> > an error information or the plaintext password.
> [snip]
>
> > If it is something of interest for you, I can do
> all
> > the development and provide you with all the code.
>
> Could you please email me the diff?
>
> thx,
>
> Jason.
>
___________________________________________________________
All New Yahoo! Mail ? Tired of Vi@gr@! come-ons? Let our SpamGuard protect you.
http://uk.docs.yahoo.com/nowyoucan.html
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
|