Dumping Keys under certain conditions (Re: ssh-agent too easy to hack)

Tim McGarry tim at mcgarry.ch
Fri Jan 18 09:17:19 EST 2002 

I often tunnel through SSH to vnc, so dumping the keys on disconnect is more
interesting than looking for a screensaver. I've decided whether to get SSHD
(if given the environment reqd to contact ssh-agent) to tell the agent to
dump the keys when the forwarded port is closed. The other alternative is to
make the change in the vnc server.


----- Original Message -----
From: "Andrew Stribblehill" <a.d.stribblehill at durham.ac.uk>
To: <openssh-unix-dev at mindrot.org>
Sent: Thursday, January 17, 2002 3:56 PM
Subject: Re: ssh-agent too easy to hack


> Quoting Pekka Savola <pekkas at netcore.fi>:
> > Me, for example, always xlock my workstation even if I go to talk to my
> > colleagues nearby.  If sufficient care is observed, the time periods
> > should be usably long.
>
> Of course, if you're using xscreensaver, the following script helps:
>
> #!/usr/bin/perl -w
> #
> # screenwatch. Watches xscreensaver and drops keys when screen blanks.
> # Adds the default key on unblank.
> #
> # Typical usage: Put this command in your .xsession
> #
> # BUGS: Only adds the default key, not all the keys that it had before.
> #       [Matter-of-taste] Drops keys on both blank and lock.
>
> use strict;
> use POSIX 'setsid';
>
> sub daemonise {
>     chdir '/' or die "Can't chdir to /: $!";
>     open STDIN, '/dev/null' or die "Can't read /dev/null: $!";
>     open STDOUT, '>/dev/null' or die "Can't write to /dev/null: $!";
>     defined(my $pid = fork) or die "Can't fork: $!";
>     exit if $pid;
>     setsid or die "Can't start a new session: $!";
>     open STDERR, '>&STDOUT' or die "Can't dup stdout: $!";
> }
>
> daemonise();
> my $blanked = 0;
> open (IN, "/usr/bin/X11/xscreensaver-command -watch |");
> while (<IN>) {
>     if (m/^(BLANK|LOCK)/) {
>         if (!$blanked) {
>             system("/usr/bin/ssh-add -D");
>             $blanked = 1;
>         }
>     } elsif (m/^UNBLANK/) {
>         system("ssh-add");
>         $blanked = 0;
>     }
> }
>
>
> I can't remember who wrote that, but it doesn't look like my code.
>
> --
> MALIN HEBRIDES BAILEY
> WEST OR SOUTHWEST 5 OR 6 BACKING SOUTH OR SOUTHEAST 7 OR GALE 8,
> PERHAPS SEVERE GALE 9 LATER. SQUALLY SHOWERS THEN RAIN. GOOD
> BECOMING MODERATE
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>

More information about the openssh-unix-dev mailing list