diff options
author | Eivind Eklund <eivind@FreeBSD.org> | 2002-02-27 14:34:51 +0000 |
---|---|---|
committer | Eivind Eklund <eivind@FreeBSD.org> | 2002-02-27 14:34:51 +0000 |
commit | 86661f5bb442767d4aef8644b3aaa8b4ba00ce5d (patch) | |
tree | e1375368936faaaa718915b41029db37cf91d924 /security/safesh | |
parent | 34b766367f5cd4fbe5c0ed9e64e3f4a1c75e34bd (diff) |
Update to version 1.3 - better docs, and cosmetic improvements
Notes
Notes:
svn path=/head/; revision=55308
Diffstat (limited to 'security/safesh')
-rw-r--r-- | security/safesh/Makefile | 2 | ||||
-rw-r--r-- | security/safesh/src/safesh.1 | 58 | ||||
-rw-r--r-- | security/safesh/src/safesh.sh | 28 |
3 files changed, 72 insertions, 16 deletions
diff --git a/security/safesh/Makefile b/security/safesh/Makefile index 4c773a23e32b..3b509249b005 100644 --- a/security/safesh/Makefile +++ b/security/safesh/Makefile @@ -8,7 +8,7 @@ # PORTNAME= safesh -PORTVERSION= 1.2 +PORTVERSION= 1.3 CATEGORIES= security MASTER_SITES= # none DISTFILES= # none diff --git a/security/safesh/src/safesh.1 b/security/safesh/src/safesh.1 index ab599b824892..f3ad4785d44c 100644 --- a/security/safesh/src/safesh.1 +++ b/security/safesh/src/safesh.1 @@ -95,6 +95,44 @@ authentication by default, but still allows the host that you connect to to grab your credentials and authenticate as you to anybody else when you do authentication forwarding to it. +.Sh SIMPLE HOWTO +Starting to make use of +.Nm +is trivial: +.Bl -enum +.It +Do "safesh <hostname>". +This will ask you for a passphrase (three times), and create a directory +$HOME/.safesh/<yourusername>@<hostname>-22, which contains authentication +data for your user at <hostname>. +.It +Add the contents of $HOME/.safesh/<yourusername>@<hostname>-22/id_dsa.pub to +$HOME/.ssh/authorized_keys2 on the host you +.Nm +*to*. +.It +Log in with "safesh <hostname>" from now on. +This will ask you for a passphrase if you have not logged into that host this +session, and otherwise just let right in. +.El + +To give an example, let us say I (eivind@FreeBSD.org) want to set up this up +for use with the main FreeBSD development server, freefall.freebsd.org, from +the account "eivind" on my workstation: +.Bl -enum +.It +eivind(ws)--% safesh freefall.freebsd.org + +<answer passphrase three times, then break off password prompt> +.It +eivind(ws)--% cat ~/.safesh/eivind@freefall.freebsd.org-22/id_dsa.pub | safesh freefall.freebsd.org -- freefall.freebsd.org 'mkdir -p .ssh && cat >> ~/.ssh/authorized_keys2' + +Answer password prompt with the password used on freefall. +The command above updates authorized_keys2 file with the key we just +generated. +From now on, it is possible to connect to freefall with just +"safesh freefall.freebsd.org" +.El .Sh NAME REPLACEMENT .Bl -tag -width "$HOME/.safesh" -compact @@ -261,13 +299,21 @@ was written by .Xr ssh-add 1 , .Xr ssh-agent 1 , .Xr ssh-keygen 1 . -.Sh MISSING FEATURES -The present version of -.Nm -does to the best of the author's knowledge work correctly in what it does. -However, there are a number of features that would make it easier to securely handle -ssh authentication. +.Sh KNOWN ISSUES +.Nm does not handle whitespace in filenames specified in extra_keys correctly. + +The ssh-agents that are started by will hang around until next reboot unless +you put 'killall ssh-agent' in .logout or similar. +This allows any login to your account to use your authentication towards +machines you have connected to (including anybody with root on the box), +persisting after you log out. +You must always assume that root can grab your authentication at the moment +you run do it, so this is only an issue in that the authentication stays +available longer. +This is not resolvable without rewriting ssh-agent. + +.Sh MISSING FEATURES .Bl -tag -width "mmmm" -compact .It Pa Two-step secure SSH with an untrusted host in the middle It is possible to use the port forwarding capability of ssh to forward diff --git a/security/safesh/src/safesh.sh b/security/safesh/src/safesh.sh index 8db88109d122..1774e594e0a8 100644 --- a/security/safesh/src/safesh.sh +++ b/security/safesh/src/safesh.sh @@ -1,6 +1,6 @@ #!/bin/sh -AKEYS=${HOME}/.safesh/ +AKEYS=${HOME}/.safesh # Use username as supplied on the command line if user@host syntax is used, # otherwise use the presently active username USER=`whoami` @@ -38,25 +38,29 @@ shift 2> /dev/null; HOSTDIR=$AKEYS/$USER@${HOST}-22 if [ ! -d $HOSTDIR ]; then - mkdir -p $HOSTDIR || myx "Unable to create $HOSTDIR" + mkdir -p $HOSTDIR || myx "$0: Unable to create $HOSTDIR" fi if [ ! -e $HOSTDIR/id_dsa ]; then - ssh-keygen -t dsa -f $HOSTDIR/id_dsa || myx "Unable to create $HOSTDIR/id_dsa" + if [ "$DISPLAY" != "" ] && (which ssh-askpass > /dev/null 2>&1); then + (ssh-keygen -t dsa -f $HOSTDIR/id_dsa >/dev/null < /dev/null 2>&1) || myx "$0: Unable to create $HOSTDIR/id_dsa" + else + ssh-keygen -t dsa -f $HOSTDIR/id_dsa || myx "Unable to create $HOSTDIR/id_dsa" + fi fi # We now have a key in $HOSTDIR/id_dsa ACTIVEAGENT=$HOSTDIR/activeagent-`hostname` if [ -e $ACTIVEAGENT.sh ]; then - . $ACTIVEAGENT.sh || myx "Unable to read $ACTIVEAGENT.sh" + . $ACTIVEAGENT.sh || myx "$0: Unable to read $ACTIVEAGENT.sh" fi if ! ssh-add -l > /dev/null 2>& 1; then ssh-agent -s > $ACTIVEAGENT.tmp || myx "Unable to start ssh-agent" sed '/^echo/d' < $ACTIVEAGENT.tmp > $ACTIVEAGENT.sh rm -f $ACTIVEAGENT.tmp - . $ACTIVEAGENT.sh || myx "Unable to read $ACTIVEAGENT.sh after creating it" + . $ACTIVEAGENT.sh || myx "$0: Unable to read $ACTIVEAGENT.sh after creating it" (echo setenv SSH_AUTH_SOCK $SSH_AUTH_SOCK\; echo setenv SSH_AGENT_PID $SSH_AGENT_PID\;) > $ACTIVEAGENT.csh #echo "Started agent with PID $SSH_AGENT_PID, socket $SSH_AUTH_SOCK" 1>&2 @@ -73,8 +77,10 @@ for i in $USER@${HOST}-22 `cat $HOSTDIR/extra_keys 2> /dev/null`; do if [ -f $HOSTDIR/$tmp ]; then IDENTITY=$HOSTDIR/$tmp elif [ -d $AKEYS/$tmp/ ]; then - if ! [ -f $AKEYS/$tmp/id_dsa -a -r $AKEYS/$tmp/id_dsa ]; then - myx "Missing key for $tmp" + if ! [ -f $AKEYS/$tmp/id_dsa ]; then + myx "Missing key $AKEYS/$tmp/id_dsa" + elif ! [ -r $AKEYS/$tmp/id_dsa ]; then + myx "$AKEYS/$tmp/id_dsa is not readable" fi IDENTITY=$AKEYS/$tmp/id_dsa elif [ -f "/$i" ]; then @@ -93,11 +99,15 @@ for i in $USER@${HOST}-22 `cat $HOSTDIR/extra_keys 2> /dev/null`; do done if [ "${KEYLIST}" != "" ]; then - ssh-add $KEYLIST + if [ "$DISPLAY" != "" ] && (which ssh-askpass > /dev/null 2>&1); then + ssh-add $KEYLIST < /dev/null > /dev/null 2>&1 + else + ssh-add $KEYLIST + fi fi if [ "$1" = "" ]; then - exec ssh $USER@$HOST + exec ssh -A $USER@$HOST else exec ssh "$@" fi |