[PATCH] Caching passphrase in ssh-add.
David Woodhouse
dwmw2 at infradead.org
Mon Jan 8 09:03:58 EST 2001
The patch below does two things.
1. If invoked with no arguments, attempt to add both RSA and DSA keys.
2. Remember the last successful passphrase and attempt to use it on
subsequent key files which are added.
Note that the latter part of the patch extends the period of time during
which the passphrase is held in clear text in the ssh-add process, but
doesn't introduce any _new_ vulnerability.
If you're paranoid about an attacker being able to cause your ssh-add
process to core dump and/or reap your passphrase from it, then you
probably shouldn't be using ssh-agent at all.
Is the SSHv2 protocol fundamentally incapable of using RSA keys for
authentication, or is that (RSA on v2) a missing feature of OpenSSH?
Index: ssh-add.c
===================================================================
RCS file: /cvs/openssh_cvs/ssh-add.c,v
retrieving revision 1.28
diff -u -r1.28 ssh-add.c
--- ssh-add.c 2000/11/17 03:47:21 1.28
+++ ssh-add.c 2001/01/07 21:52:10
@@ -54,6 +54,8 @@
char *__progname;
#endif
+static char *last_passphrase = NULL;
+
void
delete_file(AuthenticationConnection *ac, const char *filename)
{
@@ -172,6 +174,10 @@
/* At first, try empty passphrase */
private = key_new(type);
success = load_private_key(filename, "", private, &comment);
+ if (!success && last_passphrase) {
+ /* Have passphrase from last key loaded */
+ success = load_private_key(filename, last_passphrase, private, &comment);
+ }
if (!success) {
printf("Need passphrase for %.200s\n", filename);
if (!interactive && askpass == NULL) {
@@ -193,13 +199,19 @@
return;
}
success = load_private_key(filename, pass, private, &comment);
+ if (success) {
+ if (last_passphrase) {
+ memset(last_passphrase, 0, strlen(last_passphrase));
+ xfree(last_passphrase);
+ }
+ last_passphrase = pass;
+ break;
+ }
memset(pass, 0, strlen(pass));
xfree(pass);
- if (success)
- break;
strlcpy(msg, "Bad passphrase, try again", sizeof msg);
}
- }
+ }
xfree(comment);
if (ssh_add_identity(ac, private, saved_comment))
fprintf(stderr, "Identity added: %s (%s)\n", filename, saved_comment);
@@ -296,6 +308,16 @@
delete_file(ac, buf);
else
add_file(ac, buf);
+
+ snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, SSH_CLIENT_ID_DSA);
+ if (deleting)
+ delete_file(ac, buf);
+ else
+ add_file(ac, buf);
+ }
+ if (last_passphrase) {
+ memset(last_passphrase, 0, strlen(last_passphrase));
+ xfree(last_passphrase);
}
ssh_close_authentication_connection(ac);
exit(0);
--
dwmw2
More information about the openssh-unix-dev
mailing list