diff options
author | Eivind Eklund <eivind@FreeBSD.org> | 2002-01-29 17:50:27 +0000 |
---|---|---|
committer | Eivind Eklund <eivind@FreeBSD.org> | 2002-01-29 17:50:27 +0000 |
commit | 7348d040e1ffb370da757c846b56c30b40e715ae (patch) | |
tree | 67e39a173d691f9b30366164b4922c1cef26141f /security/safesh/src | |
parent | fa5a13d8ec4f3cfb9309f9b7a77dfadc9c5c8200 (diff) | |
download | ports-7348d040e1ffb370da757c846b56c30b40e715ae.tar.gz ports-7348d040e1ffb370da757c846b56c30b40e715ae.zip |
Notes
Diffstat (limited to 'security/safesh/src')
-rw-r--r-- | security/safesh/src/cvs-safesh.sh | 2 | ||||
-rw-r--r-- | security/safesh/src/safesh.1 | 327 | ||||
-rw-r--r-- | security/safesh/src/safesh.sh | 94 |
3 files changed, 423 insertions, 0 deletions
diff --git a/security/safesh/src/cvs-safesh.sh b/security/safesh/src/cvs-safesh.sh new file mode 100644 index 000000000000..16ccfa71032a --- /dev/null +++ b/security/safesh/src/cvs-safesh.sh @@ -0,0 +1,2 @@ +#!/bin/sh +exec safesh $1 -- "$@" diff --git a/security/safesh/src/safesh.1 b/security/safesh/src/safesh.1 new file mode 100644 index 000000000000..d9f3fcff059a --- /dev/null +++ b/security/safesh/src/safesh.1 @@ -0,0 +1,327 @@ +.\"- +.\" Copyright (c) 2002 Eivind Eklund +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer +.\" in this position and unchanged. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. The name of the author may not be used to endorse or promote products +.\" derived from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd January 26, 2002 +.Dt SAFESH 1 +.Sh NAME +.Nm safesh +.Nd safe key manager for OpenSSH +.Sh SYNOPSIS +.Nm +.Op Ar host +.Op Ar -- ssh-parameters ... +.Sh DESCRIPTION +.Nm +automatically creates one DSA key (called an identity) for each host you +connect to, and store this in a separate agent for each host. +It is also capable of adding keys for other hosts to this agent, so you can +use it for restricted forwarded of authentication. +Because each host use its own +.Xr ssh-agent 1 , +the hosts you forward authentication to can only get at the authentication for +the hosts you specifically say it should be able to get at. + +When run, +.Nm +.Bl -enum +.It +Normalizes the hostname you are talking about, using the $HOME/.safesh/map file. +.It +Checks if the host has an ssh dsa key in $HOME/.safesh, and creates one using +.Xr ssh-keygen 1 +if it does not. +The DSA key is stored in $HOME/.safesh/$HOST/dsa_id. +You will be asked for a passphrase when the key is created. +Note that if you use the same passphrase for all +.Nm +keys, you will only be asked for the passphrase once per host you connect to. +If you use different passphrases, you will be asked once per forwarded key +for each host you connect to (after a machine startup.) +.It +Checks if you have the +.Xr ssh-agent 1 +for this host running, and starts it if not. +.It +Checks what keys you are supposed to have active when connecting to this host +(the key for the host and any keys listed in $HOME/.safesh/$HOST/extra_keys), +and which of these are missing from the active agent. +.It +If any identities were missing from the agent, it executes +.Xr ssh-add 1 +to add them to the agent. +.It +Executes +.Xr ssh 1 +with either $HOST or the extra command line supplied by the user. +.El + +.Sh BASIC CONCEPT DESCRIPTION +.Nm +is an authentication manager for OpenSSH. +It is an attempt at making it easy to use the built-in authentication features +of OpenSSH securely. +By default, the SSH security model is that all hosts the +user connect to are trusted, and are given complete access - including the +ability to authenticate as the user towards other hosts if the user is running +.Xr ssh-agent 1 . +OpenSSH has improved this security model somewhat by not forwarding ssh +authentication by default, but still allows the host that you connect to +to grab your credentials and authenticate as you to anybody else when you +do authentication forwarding to it. + + +.Sh NAME REPLACEMENT +.Bl -tag -width "$HOME/.safesh" -compact +.It Pa $HOME +is replaced with the path your home directory, +$HOST is replaced with the name of the host you are +.Xr ssh 1 ing +to, +.It Pa $HOST +is replaced with the name of the host you are running +.Nm +towards. +This is the machine you are +.Xr ssh 1 ing +into. +.It Pa $YOURHOST +is replaced with the name of the host you are running +.Nm +on, as output by +.Xr hostname 1 . +This is the name of the machine you are +.Xr ssh 1 ing +from. +The use of $YOURHOST makes +.Nm +safe to use with NFS-mounted home directories. +.It Pa $AUTHTARGET +is replaced with the authentication target for an authentication forwarding. +This is +.Pa not +the same as $HOST. +$AUTHTARGET is a machine you are +.Xr ssh 1 ing +to +.Pa from +$HOST. +.El + +.Sh FILES +.Bl -tag -width "$HOME/.safesh" -compact +.It Pa $HOME/.safesh/ +Directory containing information for +.Nm . + +.It Pa $HOME/.safesh/map +Mapping file for +.Nm , +describing how to map names to their canonical form. +This is usually used to map short names to their long form. +The format of the file is one mapping per line, what it is mapped from as the +first word, what it is mapped to as the second. + +It is also possible to use this to map DNS names to their safe form by having +the name of the host as the first parameter, and the name of the host with a +period (.) at the end as the second parameter. +E.g, "freefall.freebsd.org freefall.freebsd.org." + +.It Pa $HOME/.safesh/$HOST/ +Directory with data for a particular hostname. +Automatically generated on first connect to a host with +.Nm . + +.It Pa $HOME/.safesh/$HOST/dsa_id +Private key for use against $HOST. +Automatically generated on first connect to a host with +.Nm . + +.It Pa $HOME/.safesh/$HOST/dsa_id.pub +Public key for use by $HOST. +To connect to $HOST using +.Nm +without giving a password, add the contents of this file +to the end of $HOME/.ssh/authorized_keys2. +Automatically generated on first connect to a host with +.Nm . + +.It Pa $HOME/.safesh/$HOST/$AUTHTARGET +Private key for use when $HOST authenticates towards $AUTHTARGET. +This is used in preference to $HOME/.safesh/$AUTHTARGET/dsa_id for authentication +forwarding through $HOST to $AUTHTARGET. +The file is only used if $AUTHTARGET is listed in $HOME/.safesh/$HOST/extra_keys. +This file is not generated automatically by +.Nm . +It is only present if you have generated it using +.Xr ssh-keygen 1 . +Note that it is usually more than useless (can pose a security risk) to copy a +key used for other authentication to this location. + +The use of explict authentication files for authentication forwarding is +primarily for protection against the case where the machine you run +.Nm +on is compromised. +Using this file, you can use a separate passphrase from the one used for the +key for connecting directly to $AUTHTARGET; that key need not even exist. +By using IP restrictions in the authorized_keys file for the key, you can make +sure that the host +.Nm +runs on cannot connect to $AUTHTARGET using the authentication forwarding +key. +The use of a separate forwarding key can also be used in combination with a +modified SSH to log which key was used where, and thus track key propagation. + +.It Pa $HOME/.safesh/$HOST/$AUTHTARGET.pub +Public key corresponding to the private key described above. + +.It Pa $HOME/.safesh/$HOST/extra_keys +List of extra keys to make available for this host. +Each line in the file is first attempted matched against the host database in +$HOME/.safesh/. +If a key exists here, +.Nm +attempts to add that. +Otherwise, it first tries to look for a file of this name relative to /, then +relative to $HOME. +If it does not find either of these, +.Nm +will exit with an error message. +If it finds one, it will add it. + +.It Pa $HOME/.safesh/$HOST/activeagent-$YOURHOST.sh +Bourne shell (see +.Xr sh 1 , +.Xr bash 1 , +.Xr zsh 1 ) +script for setting up the environment variables for the particular ssh-agent used for this host. +Only valid if +.Nm +has been run against that host as this user since the machine +.Nm +runs on was last booted. +Note that this file most be source'd, not just run as a shell script. + +.It Pa $HOME/.safesh/$HOST/activeagent-$YOURHOST.csh +CSH (see +.Xr csh 1 , +.Xr tcsh 1 ) +script for setting up the environment variables for the particular ssh-agent used for this host. +Only valid if +.Nm +has been run against that host as this user since the machine +.Nm +runs on was last booted. +Note that this file most be source'd, not just run as a shell script. +.El + +.Sh AUTHORS +.Nm +was written by +.An Eivind Eklund Aq eivind@FreeBSD.org . +.Sh SEE ALSO +.Xr ssh 1 , +.Xr ssh-add 1 , +.Xr ssh-agent 1 , +.Xr ssh-keygen 1 . +.Sh MISSING FEATURES +The present version of +.Nm +does to the best of the author's knowledge work correctly in what it does. +However, there are a number of features that would make it easier to securely handle +ssh authentication. + +.Bl -tag -width "mmmm" -compact +.It Pa Two-step secure SSH with an untrusted host in the middle +It is possible to use the port forwarding capability of ssh to forward +authentication through another server - without allowing the other server to +indepently authenticate to a third party, and without allowing it to see +what is going on in your connection. +This is based on just forwarding a tunnel through the untrusted host, and +doing direct authentication to the server on the other side. +With the present version of OpenSSH, this has the problem of leaving the +actual port forwarding open while the tunnel is open - allowing other users to +set up their own tunnels, and weakening another side of the security model. + +.It Pa Read out fingerprints +.Nm +should make it trivial to retrieve the fingerprint for +.Bl -enum +.It +The host it is running on. +This must presently done with "ssh-keygen -l /etc/ssh/ssh_host_key.pub" (to get +the fingerprint for SSH 1) and "ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key" +(for SSH 2). +.It +Other hosts, as registered in the known_host file on the host it is running +on. +This must presently be done by manual inspection. +.El + +.It Pa Merge known_hosts +.Nm +should make it trivial to merge known_hosts and known_hosts2 with ones from +another host, including retrieving and uploading known_hosts as appropriate. + +.It Pa Manage .ssh/authorized_keys2 +.Nm +should be able to automatically add/remove keys from the authorized_keys2 file +on other machines, to make the entire +.Nm +process self-contained. + +.It Pa Manage setup of key limitations +When managing authorized_keys2, it is also reasonable to manage key limitation +in this. +IP restrictions ("from=") should be handled to make it easy to create setups +where the local machine do not have direct access to a target. +Command restrictions etc would be good to have just for completeness. + +.It Pa Emulate the entire ssh syntax +Presently, the +.Nm +command has a fairly weird syntax. +This is because it is a fairly quick hack, just made to be usable. +Later, it would be nice to rewrite it to be fully compatible with +.Xr ssh 1 . +This would allow use as a drop-in replacement. + +.It Pa Description of the trust/threath/security model +It would be nice to have a complete description of the normal SSH threath model +as well as the +.Nm +threath model, in order to make people fully conscious of their own model. + +.It Pa Emulate scp +.Xr scp 1 +is a very useful command. +Unfortunately, it is almost unusable along with safesh, unless you use the +activeagent files (preferably along with running all of this in a subshell, so +you do not get extra authentication keys when you are not planning to.) + +.El diff --git a/security/safesh/src/safesh.sh b/security/safesh/src/safesh.sh new file mode 100644 index 000000000000..d1a74a8e7a1c --- /dev/null +++ b/security/safesh/src/safesh.sh @@ -0,0 +1,94 @@ +#!/bin/sh + +HOST=$1 +AKEYS=${HOME}/.safesh/ + +# MY eXit +myx() { + echo $1 1>&2 + exit 1 +} + +# Normalize host name if necessary +normalizehost() { + cat ${AKEYS}/map 2> /dev/null | awk "(\$1 == \"$1\" && !gotit) {gotit = 1; print tolower(\$2)} END {if(!gotit) {print tolower(\"$1\")}}" +} + +HOST=`normalizehost $HOST` + +# +# Check that the user are using the right parameters +# +# XXX This should check for --, but it is unclear how to do that. +# +if ! shift; then + myx "Usage: $0 <hostname> [-- <ssh parameters>]" +fi + +# +# Lose the -- from the parameters - it is there for future extensibility +# using getopt() +# +shift 2> /dev/null; + +if [ ! -d $AKEYS/$HOST ]; then + mkdir -p $AKEYS/$HOST || myx "Unable to create $AKEYS/$HOST" +fi + +if [ ! -e $AKEYS/$HOST/id_dsa ]; then + ssh-keygen -t dsa -f $AKEYS/$HOST/id_dsa || myx "Unable to create $AKEYS/$HOST/id_dsa" +fi + +# We now have a key in $AKEYS/$HOST/id_dsa + +ACTIVEAGENT=$AKEYS/$HOST/activeagent-`hostname` +if [ -e $ACTIVEAGENT.sh ]; then + . $ACTIVEAGENT.sh || myx "Unable to read $ACTIVEAGENT.sh" +fi + +if ! ssh-add -l > /dev/null 2>& 1; then + ssh-agent -s > $ACTIVEAGENT.tmp || myx "Unable to start ssh-agent" + sed '/^echo/d' < $ACTIVEAGENT.tmp > $ACTIVEAGENT.sh + rm -f $ACTIVEAGENT.tmp + . $ACTIVEAGENT.sh || myx "Unable to read $ACTIVEAGENT.sh after creating it" + (echo setenv SSH_AUTH_SOCK $SSH_AUTH_SOCK\; + echo setenv SSH_AGENT_PID $SSH_AGENT_PID\;) > $ACTIVEAGENT.csh + #echo "Started agent with PID $SSH_AGENT_PID, socket $SSH_AUTH_SOCK" 1>&2 +fi + +# We now have a live agent, possibly without any keys in it + + +for i in $HOST $(cat ${AKEYS}/$HOST/extra_keys 2> /dev/null); do + tmp=`normalizehost $i` + if [ -f $AKEYS/$HOST/$tmp ]; then + IDENTITY=$AKEYS/$HOST/$tmp + elif [ -d $AKEYS/$tmp/ ]; then + if ! [ -f $AKEYS/$tmp/id_dsa -a -r $AKEYS/$tmp/id_dsa ]; then + myx "Missing key for $tmp" + fi + IDENTITY=$AKEYS/$tmp/id_dsa + elif [ -f "/$i" ]; then + IDENTITY="/$i" + elif [ -f "$HOME/$i" ]; then + IDENTITY="$HOME/$i" + else + myx "Unable to find key for \"$i\"" + fi + # Only add it to the list if it isn't already in the agent. This is a + # workaround for a bug in ssh-add, which asks for the password FIRST, + # and checks for the existence of the the key in the agent AFTERWARDS + if [ "`(ssh-add -l && ssh-keygen -l -f "$IDENTITY") | awk '{print $1, $2}' | sort | uniq -d)`" = "" ]; then + KEYLIST="$KEYLIST $IDENTITY" + fi +done + +if [ "${KEYLIST}" != "" ]; then + ssh-add $KEYLIST +fi + +if [ "$1" = "" ]; then + exec ssh $HOST +else + exec ssh "$@" +fi |