aboutsummaryrefslogtreecommitdiff
path: root/security/safesh
diff options
context:
space:
mode:
authorEivind Eklund <eivind@FreeBSD.org>2002-02-27 14:34:51 +0000
committerEivind Eklund <eivind@FreeBSD.org>2002-02-27 14:34:51 +0000
commit86661f5bb442767d4aef8644b3aaa8b4ba00ce5d (patch)
treee1375368936faaaa718915b41029db37cf91d924 /security/safesh
parent34b766367f5cd4fbe5c0ed9e64e3f4a1c75e34bd (diff)
Update to version 1.3 - better docs, and cosmetic improvements
Notes
Notes: svn path=/head/; revision=55308
Diffstat (limited to 'security/safesh')
-rw-r--r--security/safesh/Makefile2
-rw-r--r--security/safesh/src/safesh.158
-rw-r--r--security/safesh/src/safesh.sh28
3 files changed, 72 insertions, 16 deletions
diff --git a/security/safesh/Makefile b/security/safesh/Makefile
index 4c773a23e32b..3b509249b005 100644
--- a/security/safesh/Makefile
+++ b/security/safesh/Makefile
@@ -8,7 +8,7 @@
#
PORTNAME= safesh
-PORTVERSION= 1.2
+PORTVERSION= 1.3
CATEGORIES= security
MASTER_SITES= # none
DISTFILES= # none
diff --git a/security/safesh/src/safesh.1 b/security/safesh/src/safesh.1
index ab599b824892..f3ad4785d44c 100644
--- a/security/safesh/src/safesh.1
+++ b/security/safesh/src/safesh.1
@@ -95,6 +95,44 @@ authentication by default, but still allows the host that you connect to
to grab your credentials and authenticate as you to anybody else when you
do authentication forwarding to it.
+.Sh SIMPLE HOWTO
+Starting to make use of
+.Nm
+is trivial:
+.Bl -enum
+.It
+Do "safesh <hostname>".
+This will ask you for a passphrase (three times), and create a directory
+$HOME/.safesh/<yourusername>@<hostname>-22, which contains authentication
+data for your user at <hostname>.
+.It
+Add the contents of $HOME/.safesh/<yourusername>@<hostname>-22/id_dsa.pub to
+$HOME/.ssh/authorized_keys2 on the host you
+.Nm
+*to*.
+.It
+Log in with "safesh <hostname>" from now on.
+This will ask you for a passphrase if you have not logged into that host this
+session, and otherwise just let right in.
+.El
+
+To give an example, let us say I (eivind@FreeBSD.org) want to set up this up
+for use with the main FreeBSD development server, freefall.freebsd.org, from
+the account "eivind" on my workstation:
+.Bl -enum
+.It
+eivind(ws)--% safesh freefall.freebsd.org
+
+<answer passphrase three times, then break off password prompt>
+.It
+eivind(ws)--% cat ~/.safesh/eivind@freefall.freebsd.org-22/id_dsa.pub | safesh freefall.freebsd.org -- freefall.freebsd.org 'mkdir -p .ssh && cat >> ~/.ssh/authorized_keys2'
+
+Answer password prompt with the password used on freefall.
+The command above updates authorized_keys2 file with the key we just
+generated.
+From now on, it is possible to connect to freefall with just
+"safesh freefall.freebsd.org"
+.El
.Sh NAME REPLACEMENT
.Bl -tag -width "$HOME/.safesh" -compact
@@ -261,13 +299,21 @@ was written by
.Xr ssh-add 1 ,
.Xr ssh-agent 1 ,
.Xr ssh-keygen 1 .
-.Sh MISSING FEATURES
-The present version of
-.Nm
-does to the best of the author's knowledge work correctly in what it does.
-However, there are a number of features that would make it easier to securely handle
-ssh authentication.
+.Sh KNOWN ISSUES
+.Nm does not handle whitespace in filenames specified in extra_keys correctly.
+
+The ssh-agents that are started by will hang around until next reboot unless
+you put 'killall ssh-agent' in .logout or similar.
+This allows any login to your account to use your authentication towards
+machines you have connected to (including anybody with root on the box),
+persisting after you log out.
+You must always assume that root can grab your authentication at the moment
+you run do it, so this is only an issue in that the authentication stays
+available longer.
+This is not resolvable without rewriting ssh-agent.
+
+.Sh MISSING FEATURES
.Bl -tag -width "mmmm" -compact
.It Pa Two-step secure SSH with an untrusted host in the middle
It is possible to use the port forwarding capability of ssh to forward
diff --git a/security/safesh/src/safesh.sh b/security/safesh/src/safesh.sh
index 8db88109d122..1774e594e0a8 100644
--- a/security/safesh/src/safesh.sh
+++ b/security/safesh/src/safesh.sh
@@ -1,6 +1,6 @@
#!/bin/sh
-AKEYS=${HOME}/.safesh/
+AKEYS=${HOME}/.safesh
# Use username as supplied on the command line if user@host syntax is used,
# otherwise use the presently active username
USER=`whoami`
@@ -38,25 +38,29 @@ shift 2> /dev/null;
HOSTDIR=$AKEYS/$USER@${HOST}-22
if [ ! -d $HOSTDIR ]; then
- mkdir -p $HOSTDIR || myx "Unable to create $HOSTDIR"
+ mkdir -p $HOSTDIR || myx "$0: Unable to create $HOSTDIR"
fi
if [ ! -e $HOSTDIR/id_dsa ]; then
- ssh-keygen -t dsa -f $HOSTDIR/id_dsa || myx "Unable to create $HOSTDIR/id_dsa"
+ if [ "$DISPLAY" != "" ] && (which ssh-askpass > /dev/null 2>&1); then
+ (ssh-keygen -t dsa -f $HOSTDIR/id_dsa >/dev/null < /dev/null 2>&1) || myx "$0: Unable to create $HOSTDIR/id_dsa"
+ else
+ ssh-keygen -t dsa -f $HOSTDIR/id_dsa || myx "Unable to create $HOSTDIR/id_dsa"
+ fi
fi
# We now have a key in $HOSTDIR/id_dsa
ACTIVEAGENT=$HOSTDIR/activeagent-`hostname`
if [ -e $ACTIVEAGENT.sh ]; then
- . $ACTIVEAGENT.sh || myx "Unable to read $ACTIVEAGENT.sh"
+ . $ACTIVEAGENT.sh || myx "$0: Unable to read $ACTIVEAGENT.sh"
fi
if ! ssh-add -l > /dev/null 2>& 1; then
ssh-agent -s > $ACTIVEAGENT.tmp || myx "Unable to start ssh-agent"
sed '/^echo/d' < $ACTIVEAGENT.tmp > $ACTIVEAGENT.sh
rm -f $ACTIVEAGENT.tmp
- . $ACTIVEAGENT.sh || myx "Unable to read $ACTIVEAGENT.sh after creating it"
+ . $ACTIVEAGENT.sh || myx "$0: Unable to read $ACTIVEAGENT.sh after creating it"
(echo setenv SSH_AUTH_SOCK $SSH_AUTH_SOCK\;
echo setenv SSH_AGENT_PID $SSH_AGENT_PID\;) > $ACTIVEAGENT.csh
#echo "Started agent with PID $SSH_AGENT_PID, socket $SSH_AUTH_SOCK" 1>&2
@@ -73,8 +77,10 @@ for i in $USER@${HOST}-22 `cat $HOSTDIR/extra_keys 2> /dev/null`; do
if [ -f $HOSTDIR/$tmp ]; then
IDENTITY=$HOSTDIR/$tmp
elif [ -d $AKEYS/$tmp/ ]; then
- if ! [ -f $AKEYS/$tmp/id_dsa -a -r $AKEYS/$tmp/id_dsa ]; then
- myx "Missing key for $tmp"
+ if ! [ -f $AKEYS/$tmp/id_dsa ]; then
+ myx "Missing key $AKEYS/$tmp/id_dsa"
+ elif ! [ -r $AKEYS/$tmp/id_dsa ]; then
+ myx "$AKEYS/$tmp/id_dsa is not readable"
fi
IDENTITY=$AKEYS/$tmp/id_dsa
elif [ -f "/$i" ]; then
@@ -93,11 +99,15 @@ for i in $USER@${HOST}-22 `cat $HOSTDIR/extra_keys 2> /dev/null`; do
done
if [ "${KEYLIST}" != "" ]; then
- ssh-add $KEYLIST
+ if [ "$DISPLAY" != "" ] && (which ssh-askpass > /dev/null 2>&1); then
+ ssh-add $KEYLIST < /dev/null > /dev/null 2>&1
+ else
+ ssh-add $KEYLIST
+ fi
fi
if [ "$1" = "" ]; then
- exec ssh $USER@$HOST
+ exec ssh -A $USER@$HOST
else
exec ssh "$@"
fi