[PATCH] Caching passphrase in ssh-add.

David Woodhouse dwmw2 at infradead.org
Mon Jan 8 09:03:58 EST 2001 

The patch below does two things.

 1. If invoked with no arguments, attempt to add both RSA and DSA keys.
 2. Remember the last successful passphrase and attempt to use it on
	subsequent key files which are added.

Note that the latter part of the patch extends the period of time during
which the passphrase is held in clear text in the ssh-add process, but
doesn't introduce any _new_ vulnerability.

If you're paranoid about an attacker being able to cause your ssh-add
process to core dump and/or reap your passphrase from it, then you
probably shouldn't be using ssh-agent at all.

Is the SSHv2 protocol fundamentally incapable of using RSA keys for
authentication, or is that (RSA on v2) a missing feature of OpenSSH?

Index: ssh-add.c
===================================================================
RCS file: /cvs/openssh_cvs/ssh-add.c,v
retrieving revision 1.28
diff -u -r1.28 ssh-add.c
--- ssh-add.c	2000/11/17 03:47:21	1.28
+++ ssh-add.c	2001/01/07 21:52:10
@@ -54,6 +54,8 @@
 char *__progname;
 #endif

+static char *last_passphrase = NULL;
+
 void
 delete_file(AuthenticationConnection *ac, const char *filename)
 {
@@ -172,6 +174,10 @@
 	/* At first, try empty passphrase */
 	private = key_new(type);
 	success = load_private_key(filename, "", private, &comment);
+	if (!success && last_passphrase) {
+		/* Have passphrase from last key loaded */
+		success = load_private_key(filename, last_passphrase, private, &comment);
+	}
 	if (!success) {
 		printf("Need passphrase for %.200s\n", filename);
 		if (!interactive && askpass == NULL) {
@@ -193,13 +199,19 @@
 				return;
 			}
 			success = load_private_key(filename, pass, private, &comment);
+			if (success) {
+				if (last_passphrase) {
+					memset(last_passphrase, 0, strlen(last_passphrase));
+					xfree(last_passphrase);
+				}
+				last_passphrase = pass;
+				break;
+			}
 			memset(pass, 0, strlen(pass));
 			xfree(pass);
-			if (success)
-				break;
 			strlcpy(msg, "Bad passphrase, try again", sizeof msg);
 		}
-	}
+	}
 	xfree(comment);
 	if (ssh_add_identity(ac, private, saved_comment))
 		fprintf(stderr, "Identity added: %s (%s)\n", filename, saved_comment);
@@ -296,6 +308,16 @@
 			delete_file(ac, buf);
 		else
 			add_file(ac, buf);
+
+		snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, SSH_CLIENT_ID_DSA);
+		if (deleting)
+			delete_file(ac, buf);
+		else
+			add_file(ac, buf);
+	}
+	if (last_passphrase) {
+		memset(last_passphrase, 0, strlen(last_passphrase));
+		xfree(last_passphrase);
 	}
 	ssh_close_authentication_connection(ac);
 	exit(0);

-- 
dwmw2

More information about the openssh-unix-dev mailing list