Jason openssh at
Fri Nov 17 02:10:50 EST 2006

Pawel Krupinski wrote:
> I'm using ssh agent currently just to manage my keys
> and practically they are used only to provide me with
> SSO to other ssh based systems. Why not use these keys
> (or a separate ssh key pair) to protect passwords to
> things such as database? 

TrueCrypt/dmcrypt volumes?

> To put it simple the way I see it is as follow. Your
> passwords (apart from your main ssh password) will be
> stored encrypted using your ssh public key. After
> logon, ssh-agent will be started and relevant key(s)
> added. When a script will require access to a
> password, it will:
> 1. Retrieve the data from somewhere (outside the
> scope);
> 2. Decrypt using the ssh utlity (ssh-decrypt(?)) -
> using ssh-agent or a file.
> 3. Provide credentials back to script. Or will create
> the establised connection to the database. Or
> …(anyway, I think it is outside the scope ;-)).
> The bit that cannot be done currently is number 2 -
> OpenSSH doesn't provide ssh-decrypt functionality, but
> it is relatively easy to change it - I've played with
> OpenSSH 4.4/4.4p1 and it took me one evening (sorry -
> it was my first approach to OpenSSH as a developer
> ;-)) and 50 lines of code to implement it (based on
> the ssh-add tool using ssh-agent for decryption). In
> my solution, ssh-decrypt tool sends encrypted secret
> to the ssh-agent, which decrypts it (without sending
> any keys to the ssh-decrypt tool) and sends back just
> an error information or the plaintext password. 

> If it is something of interest for you, I can do all
> the development and provide you with all the code.

Could you please email me the diff?



More information about the openssh-unix-dev mailing list