RE: Controlling ssh from an external program

• Previous message: Covington, Jimmy D. (NGIT): "SSH and mounted home directories"
• In reply to: Patrice.Gonthier_at_alcatel.fr: "Re: Controlling ssh from an external program"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <secureshell@securityfocus.com>
Date: Sun, 24 Oct 2004 22:00:30 +1000

Patrice,

I have just been working on solving this "problem" myself and it seems from
all the literature that I have read the ssh community has been quite adamant
that a passphrase must be entered on demand from a real user (even if
ssh-agent/ssh-add is used).

The argument put is that if the system were to be compromised then the
passphrase could be discovered and the private key would fall into dangerous
hands. Of course this is true, but if and only if you have committed the
password to a file in the first place. Sure, the temptation will be there,
but the sysadmin will only have themselves to blame should the system become
hacked. Any seriously secure sysadmin just won't do it IMO!

BTW, on a machine that is owned, just what difference is there between (1) a
clear private key (no passphrase) and (2) a passphrase protected key where
the phrase is also discoverable in a secondary file? In fact the second
arrangement is slightly more secure given the hacker has to perform one more
step to finally own the key.

Furthermore if the hacker had managed to own only a user account (other than
root) and the ssh-agent was always invoked by (and only by) a root process
(say using rc.d and su) that supplied the passphrase as per my example code
below, then this would mean I could secure the passphrase from the users
themselves (by giving access to the passkey_file only to root).

    su -c '/usr/local/sbin/addkey.sh private_key_file' some_user

and /usr/local/sbin/addkey.sh looks like...

    #!/bin/sh
    ssh-add $1 <<SSPP
    `cat passkey_file`
    SSPP
    #EOF

NB the SSH environment strings need to be included in this mixture!

At the end of the day if the system has a root kit installed even this will
be compromised, but as I said before if that is a concern, just use manual
input passphrases and prohibit file based passphrases.

Maybe the key generator can choose the allowable ssh-add behaviour when
generating the key. That way ssh-add can refuse to process keys from non
user input methods if the key demands manual input. My first thought would
be to use a special character in the passphrase itself as the signal eg. a
"!" character as the final character could signify accept from a file. This
character would also be a part of the encryption so just adding the
character to a manual input passphrase wouldn't convince ssh-add anyway as
the key wouldn't decrypt.

Maybe one day I will get time to hack out the changes myself, but for the
moment I am forced to use an unprotected private key for some batch rsync
transfers and have used the command="" key prefix to ensure the only
accepted command is rsync!

Any comments?

Cheers, Frank.

-----Original Message-----
From: Patrice.Gonthier@alcatel.fr [mailto:Patrice.Gonthier@alcatel.fr]
Sent: Friday, 22 October 2004 6:49 PM
To: Jerry
Cc: jander@hundredacrewood.org; secureshell@securityfocus.com
Subject: Re: Controlling ssh from an external program

Hello Jerry,
I have almost the same problem

I need to launch a SSH agent and SSH add and I would like to give the
passphrase as input (without human interaction) to the SSH-add.

Do you think NetSSH can help me for this.

PS: Unfortunately, for this I am running on a Windows.

Thank you for your help

Patrice

Jerry <juanino@yahoo.com> on 21/10/2004 22:10:35

To: jander@hundredacrewood.org, secureshell@securityfocus.com
cc:
Subject: Re: Controlling ssh from an external program

Oh yes, use perl and Net::SSH::Perl from CPAN.

It's a pain to build--> many, many requirements, but
it works very nice for this type of thing. It's a
complete ssh implementation, you don't even need
openssh to install it I believe. It can do things
like go interactive, pass username/password, return
good return codes, stderr, stdout, etc.

Contact me off-list if you need help building it.
It's easier to build on linux than Solaris. But I've
used it on both.

Jerry
QX19

--- Jeff Anderson <jander@hundredacrewood.org> wrote:

> Hi -
>
> I am working on a linux remote administration tool,
> and I would like to be
> able to control ssh/scp via an external program. I
> know the standard answer
> to this is to use expect, however this is NOT an
> option.
>
> The next standard answer is to use an empty
> passphrase or ssh-agent, but I
> cannot guarantee that the remote system will have a
> keypair, so I need to be
> able to fallback on password authentication if that
> fails. The controlling
> program needs to be able to feed the password to
> ssh/scp.
>
>
> Additionally, I can only use an unmodified version
> of openssh (i.e. whatever
> version is available on the system that the admin
> tool is run from).
>
> Any ideas?????
>
>
>
==========================================================
> Jeff Anderson
>
>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
 http://mail.yahoo.com

• Previous message: Covington, Jimmy D. (NGIT): "SSH and mounted home directories"
• In reply to: Patrice.Gonthier_at_alcatel.fr: "Re: Controlling ssh from an external program"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]