Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security Businesses Apple

Set up SSH Agent on Login 36

Posted by pudge from the me-like dept.
mpf writes "This is a simple procedure to allow you to be prompted at login for your SSH passphrase and have it optionally stored in your Mac OS X Keychain, so you'll never have to enter your passphrase again! It allows you to use ssh from AppleScripts and other non-interactive applications without entering your passphase." Nice idea. It combines two pieces of software, one that starts ssh-agent on login, and one that gets called to provide your ssh passphrase when needed (which can store/retrieve it in the Keychain). There's a small AppleScript to call ssh-add on login, to tie it all together.
This discussion has been archived. No new comments can be posted.

Set up SSH Agent on Login More

Set up SSH Agent on Login

Comments Filter:

  • secure shell? (Score:1, Flamebait)

    by BigBir3d ( 454486 )
    what is so secure about no password? this must be an idea of the US government...

    • Re:secure shell? (Score:5, Informative)

      by Webmonger ( 24302 ) on Tuesday May 21, 2002 @12:32PM (#3559592) Homepage
      SSH can use several forms of authentication, including public key cryptography. You use a password to encrypt your private key, which you supply on login.

      Once your private key is decrypted, SSH can use it to authenticate you on any site that uses your public key for authentication.

      There is security at every step. You typically have to be logged in as yourself (or root) to read your private key, you have to supply a password to decrypt the key, and you can remove they key from memory at any time.

      • Re:secure shell? (Score:3, Insightful)

        by BigBir3d ( 454486 )
        so what you are saying is when your laptop is stolen, you are completely covered? i think not.

        • Re:secure shell? (Score:3, Informative)

          by scenic ( 4226 )
          no, not completely covered. But, with proper management you can manage your risk. Just remove the key that got stolen from your remote hosts. The issue then becomes home many keys and where they are, and ancilliary issues like did you use the same passphrase on other keys on other computers (bad user, bad, bad).

          At the end of the day, it's all about managing risk. So, you have to take the proper safeguards in order to balance your convenience.

          Sujal

        • Re:secure shell? (Score:3, Interesting)

          by Webmonger ( 24302 )

          Yes, you very well covered if your laptop gets stolen, as long as the power's off. The only copy of your private key is on the hard disk, and your passphrase is required to use it, because it's encrypted.

          If your laptop is stolen while powered on with an active login session, you may be screwed.

          Essentially it goes:

          Remote machine: At the request of user bar, I will permit any machine that can prove it has private key foo to log in as user bar.

          Local machine: If user bar (or baz) supplies the password for key foo, I can decrypt it. If I can decrypt key foo, I will use it to log into the remote machine.

          So in fact, the remote machine doesn't trust your local machine, it trusts the key.

          The only decrypted copy of the key is in memory. If you're really unlucky, it got swapped to disk, and was recovered by the person who stole your laptop. Recovering a key like this is nontrivial to do, but not impossible.

  • If an applescript calls the password, couldn't and applescript write the password to a file. If so, this brings up a physical security issue.

  • A worring idea. (Score:4, Interesting)

    by @madeus ( 24818 ) <slashdot_24818@mac.com> on Tuesday May 21, 2002 @12:45PM (#3559699)
    Hmm mostly *but not entirely* , a bad idea, IMO.

    This is useful as long as you remeber to lock your screen when you are away from your keyboard.

    But to be honest, I wouldn't count on that. (as even doing that is not sufficent)

    If you store your passwords on your machine and permit programs to access your keychain (which stores them encrypted but *outputs* them as plain text), a malacious program could steal all your account passwords without you knowing (which is of course much worse than just stealing the password to your desktop).

    If you make sure the Keychain prompted you before allowing applications to access the Keychain, then that would be all well and good, but then that would elimiate most of the useful functionality of this method (as it would be more annoying than simply having to type in a password in the first place, as it would involve a hand leaving the keyboard and going for the mouse/trackball to point and click).

    Even making Terminal.app the only application which can access passwords on the Keychain without prompting does not work around this problem as it's trivial to call the Terminal and get it to do stuff (and, infact some installers do).

    In my experience, I have enough problems convincing lusers not to save their passwords in clear text in CRT/SecureCRT login scripts.

    I don't wish to detract from someone's work, but this seems like someone's excuse not to have to remeber passwords.

    (If there are a lot of systems to look after and you can't possibly remeber the passwords for all of them (and your not able to use something like NIS/LDAP), a plain text/CSV and something like Cypher is probably a better bet.)

    • Re:A worring idea. (Score:3, Insightful)

      by Lazaru5 ( 28995 )
      All your points are mostly valid except for saying it's an excuse not to have to remember passwords. Why then do ssh-agent/ssh-add exist at all? Having all apps be able to access SSH_AUTH_SOCK and SSH_AGENT_PID is a good thing. It's ok to question this implementation, but the goal is a good one.
      • The real use of ssh-agent is more obvious when you consider that ssh was originally developed as a replacement for the hideously insecure "rsh."

        The reason why one would want to use "rsh," back in the day, rather than telnet, would be if you wanted to write a script that would perform an action on a remote machine. This isn't something that your average end-user does often, but it's something that systems administrators in business environments find very useful.

        Problem is, with SSH, you have to provide a password or pass phrase in order to complete the connection. If your goal is to write an automated system to do the work unattended, this is an issue! "rsh" didn't have the problem, because its idea of security was pretty much blind trust.

        So, we have ssh-agent. It's a way that you can enter your passphrase once when you're at the computer, and have that authorization stick around while you go away.

        An example: At my last job, at an ISP, our DNS was managed through a CVS repository. With thousands of zones, updating the entire repository was not always speedy. So, I set up a cron job to do the update overnight. Since our CVS only allowed ssh connections, I had to find some way to handle the authentication. Running ssh-agent solved this issue: Once I had given the authorization, it would stick around. Of course, if the workstation weren't located in a physically secured space, and equipped with a password locking screen saver set to a short timeout, I'm not sure I'd have taken the security risk.
        • It wasn't a real question. I was hoping that my response would make the parent realize that the feature that ssh-agent provides is one that is needed.

    • Re:A worring idea. (Score:3, Informative)

      by daeley ( 126313 )
      This is useful as long as you remeber to lock your screen when you are away from your keyboard.

      In Mac OS X, under the Screen Saver System Preference, you can have it ask for a password before it lets you back in. You can also set a hot corner so that if you *do* remember, you can just shove your cursor into one corner and the screensaver turns on.

    • If you store your passwords on your machine and permit programs to access your keychain (which stores them encrypted but *outputs* them as plain text), a malacious program could steal all your account passwords without you knowing.
      Your assumption that any program can access any keychain item at any time is false. Each keychain item has specific programs assigned to it with different realms. Take a look at your keychain program, and you'll see a section that restricts program access.
      The real security risk that you should be worried about is the fact that if your keychain is unlocked, anyone can go into your keychain application and view in plaintext any of your passwords.

      If you make sure the Keychain prompted you before allowing applications to access the Keychain, then that would be all well and good, but then that would elimiate most of the useful functionality of this method
      There is an option that you're overlooking: in the keychain manager you can set programs to only prompt you once. Anytime the program itself is modified (if you make a new build, or if you install an update), you are presented with a dialog asking you if you want to allow the program to have access to the keychain item. you can say "deny", "allow", and "always allow"

      I don't wish to detract from someone's work, but this seems like someone's excuse not to have to remeber passwords.
      I believe that was the entire point!

      I don't recommend doing this trick if you're going to leave your keychain unlocked all the time, but if you have it set up more securely it could prove to be a very helpful addition to your setup.

      • No my assumptions are NOT false.

        I know exactly how the Keychain works, but as I went to great pains to point out, this program fails to save time effectively if you are still prompted for authorization each time and if you are not, then it is insecure, and that's why IMO it's a bad idea.

        For some reason (because it didn't fit your argument) you selectively ommited that part of my post from your reply and chose instead to ignore it.

        And yes, I also know how to lock the screen in Mac OS X (WOW you can lock the screen? Who would have thought! You must be a rocket scientist!)

        As for your reply of "I believe that was the entire point!" when I stated "this seems like someone's excuse not to have to remeber passwords." you would seem to have little experience managing systems responsibly.

        Quite frankly, if you can't even remeber your password for a host, you shouldn't not be messing around at the command line at all and are likely to break something quite badly.
        • Quite frankly, if you can't even remeber your password for a host, you shouldn't not be messing around at the command line at all and are likely to break something quite badly.
          I agree.
          The whole point of this article in the first place was to provide a way for lazy (or really crunched for time) people to bypass authentication for SSH.
          I do not suggest using this method for many of the reasons that you said, as well as many that I said.
          I know exactly how the Keychain works, but as I went to great pains to point out, this program fails to save time effectively if you are still prompted for authorization each time and if you are not, then it is insecure, and that's why IMO it's a bad idea. For some reason (because it didn't fit your argument) you selectively ommited that part of my post from your reply and chose instead to ignore it.
          Cool it. I think that rather than attacking me, you should be thinking about what the keychain was originally intended for: Maintaining secure information in such a way that requiring one password could provide access to tons of info. In X, at login your keychain is unlocked.
          If you're going to talk about security, remind people that you can have your keychain automatically lock after periods of time.

          Sorry this seems to have hit a vein, but I'm really not disagreeing with you about the insecurity of the "SSH Agent on Login" post. I am just making it very clear that the Keychain is the weakest link here, not the programs that someone posted.

          Take Care

  • Finding ways to make OS X more OS 9-like seems to be a pattern among users of OS X (especially among those graduating from OS 9).

    Those using OS X who want to implement things such the password-free login method mentioned in this article may want to think twice. Defeating the need to enter a username and password removes a layer of security from an OS that is still ironing out the kinds of problems that we find in the youth of virtually every OS.

    • Re:Pattern of making OSX like OS 9 (Score:4, Insightful)

      by jkujawa ( 56195 ) on Tuesday May 21, 2002 @01:32PM (#3560014) Homepage
      I don't think this is so much a password-free login as single sign-on. The keychain database is unlocked when the user logs in, and from then on, any applications which have been allowed to use it can get their registered passwords from the database, without having to ask the user.

      Some people like single sign-on, others don't. Personally, I like its convenience. I think it should be done correctly, the database should, for instance, be relocked when the screen is locked, but it's a good solution for users, if used carefully.
    • Um ... actually, this is making it more Unix-like (as if Unix can be made more Unix-like) ... on Mac OS 9 I have no way to set up an ssh-agent (although NiftyTelnet does cache your ssh passphrase in memory, and MacSSH can cache it in the Keychain). On Linux, when I log in to my graphical UI, I set up one ssh-agent for all my terminals etc. to use. It's the same thing. ssh is made for this. All this does is make it so the ssh-agent is started automatically and your key is added to it automatically, by using the Keychain. Sure, the Keychain or SSH could have security flaws in them, but is that's the case, there are far bigger problems than merely this.
    • I think you are confused. The article wasn't about bypassing login to the mac itself (that can easily be done in the Login system pref panel, on any osx mac), but rather bypassing passwords for remote systems. There is no way (that I know of at least) to get ssh keys working this elgantly in OS9.

      I'm in and out of a couple different shell servers all day, so this is a huge timesaver for me. And it is pretty secure, because every time I close the lid of my ibook the system sleeps, and everytime the system sleeps, my keychain is locked. And I've got a password on my screensaver too. And I don't have my actual remote passwords stored. It's beautiful.
      • OK, gotta revise that now that I've used the thing a bit. Locking the keychain doesn't stop me from being able to login to remote hosts password-free (!) but it does stop me from being able to view the stored passphrase in Keychain Access (without entering the keychain passowrd). This still sort of bugs me; I guess I'll just have to get religious about enabling the screensaver (by moving the mouse to a specified corner of the screen) whenever I'm away.

        Hey... anyone know how secure the applescreensaver password lock is?
        • One more note:

          To lock everything up, one can type "ssh-add -D" and disable the indentites that have been stored (until next login..). To re-enable it, you can use ssh-add again, but it prompts you for your passphrase in the shell (not in the pretty, aqua, keychain-aware SSHAskPass program) which sort of defeats the purpose. There's got to be a better way...

  • Keychain (Score:2, Interesting)

    by auferstehung ( 150494 )
    The original sh compatible keychain tool for Linux (and Unix in general) mentioned in the referenced link can be found on the Gentoo Linux [gentoo.org] website here [gentoo.org]. There are links to IBM developerWorks articles describing the concepts behind the keychain scripts as well as how to set it up and use it.

  • Is doing this like... (Score:3, Informative)

    by yack0 ( 2832 ) <keimel@nospam.gmail.com> on Tuesday May 21, 2002 @02:44PM (#3560588) Homepage
    using keygen to generate a identity and identity.pub in your local .ssh directory, then copying that identity.pub to the remote server in a ~/.ssh/authorized_keys (perm 644) file?

    While that method also assumes physical security, I don't really worry about that. My iBook secures the screen if I'm idle for more than 5 minutes and I have a sleep corner. I don't leave my desk without using the sleep corner to lock up.

    I know a lot of people that use this, the trick is to keep the identity file secure. That's your private key and needs to be safe.

    • That's not what this is at all. You of course _do_ generate your keys like normal and distribute your .pub key to your server(s) of choice.

      This is akin to starting X via "ssh-agent startx" (or your ~/.X* scripts if you use [x|g|k|w]dm, etc) so that all applications inherit the SSH_AUTH_SOCK and SSH_AGENT_PID environment variables.

      This also provides an analog to the X based openssh-askpass dialog.

      Finally, and this is the novel part...it adds it to MacOSX's KeyChain system so that all apps - not just Terminal.app and [x|a|e]term - can use it. Their example is Project Builder which can be set to use SSH to do CVS logins instead of the default (which is presumably pserver).

  • My solution.. (Score:2, Interesting)

    by lcracker ( 10398 )
    I wrote a perl script that manages ssh-agent processes that gets executed in the .login. Basically the way it works is that whenever I start a terminal session it sets the proper environment variables if ssh-agent is running, otherwise, it starts ssh-agent (therefore asking for password). I also wrote some scripts to add my public key to remote hosts. I use SSHPassKey for ProjectBuilder, which seems to integrate with my system pretty well.

    ---

    #!/usr/bin/perl
    sub findpid {
    $addkeys = shift;
    open FILE,"$ENV{HOME}/.ssh/.ssh-agent.csh";
    $sock = ;
    $pid = ;
    close FILE;
    $sock =~ s/^.*?\ .*?\ (.*?);\n$/$1/;
    $pid =~ s/^.*?\ .*?\ (.*?);\n$/$1/;
    $lines = 0;
    if ($pid) {
    open PS,"/bin/ps -p $pid|";
    ;
    while () { ++$lines; }
    close PS;
    }
    if ($lines) {
    $ENV{'SSH_AUTH_SOCK'} = $sock;
    $ENV{'SSH_AGENT_PID'} = $pid;
    if ($addkeys) {`ssh-add $ENV{HOME}/.ssh/identity $ENV{HOME}/.ssh/id_dsa`;}
    } else {
    print "Starting ssh-agent...\n";
    `ssh-agent > $ENV{HOME}/.ssh/.ssh-agent.csh`;
    findpid(1);
    }
    }
    findpid();

Slashdot Top Deals

"Joy is wealth and love is the legal tender of the soul." -- Robert G. Ingersoll

Close