ssh-decrypt
Pawel Krupinski
pak76_ml at yahoo.co.uk
Fri Nov 17 04:27:27 EST 2006
Seems that *.zip files are not accepted...
Let's try again.
Hi Jason,
Here you are. Actually there are two things there:
1. Three PoC files are:
- ssh-encrypt.c - copy of ssh-add.c with an extra
functionality
- diff.txt - differences in other files
- diffmake.txt - differences in the Makefile
Note: Please remember I wrote it as PoC, so please
don't shout too loud on the quality of my C!!!! Didn't
have time to make it properly. It was a quick check to
prove it can be done ;-)))
Definitely I will have to rewrite it.
2. file-ssh-encrypt.c & myssh.h are the first draft
version for encrypting secrets using ssh keys.
Currently they are using OpenSSH, but are not
integrated (different error handling etc). I
use it to encrypt secrets using keys from files.
I'm sending it as is - it is under development as we
speak, but hopefully quality is a bit better ;-)))
Give me a shout what you think, please.
Thanks,
- pak76
--- Jason <openssh at lakedaemon.net> wrote:
> Pawel Krupinski wrote:
> [snip]
> > I'm using ssh agent currently just to manage my
> keys
> > and practically they are used only to provide me
> with
> > SSO to other ssh based systems. Why not use these
> keys
> > (or a separate ssh key pair) to protect passwords
> to
> > things such as database?
>
> TrueCrypt/dmcrypt volumes?
>
> > To put it simple the way I see it is as follow.
> Your
> > passwords (apart from your main ssh password) will
> be
> > stored encrypted using your ssh public key. After
> > logon, ssh-agent will be started and relevant
> key(s)
> > added. When a script will require access to a
> > password, it will:
> > 1. Retrieve the data from somewhere (outside the
> > scope);
> > 2. Decrypt using the ssh utlity (ssh-decrypt(?)) -
> > using ssh-agent or a file.
> > 3. Provide credentials back to script. Or will
> create
> > the establised connection to the database. Or
> >
(anyway, I think it is outside the scope ;-)).
> >
> > The bit that cannot be done currently is number 2
> -
> > OpenSSH doesn't provide ssh-decrypt functionality,
> but
> > it is relatively easy to change it - I've played
> with
> > OpenSSH 4.4/4.4p1 and it took me one evening
> (sorry -
> > it was my first approach to OpenSSH as a developer
> > ;-)) and 50 lines of code to implement it (based
> on
> > the ssh-add tool using ssh-agent for decryption).
> In
> > my solution, ssh-decrypt tool sends encrypted
> secret
> > to the ssh-agent, which decrypts it (without
> sending
> > any keys to the ssh-decrypt tool) and sends back
> just
> > an error information or the plaintext password.
> [snip]
>
> > If it is something of interest for you, I can do
> all
> > the development and provide you with all the code.
>
> Could you please email me the diff?
>
> thx,
>
> Jason.
>
Send instant messages to your online friends http://uk.messenger.yahoo.com
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: file-ssh-encrypt.c
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20061116/611317af/attachment-0002.c
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: myssh.h
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20061116/611317af/attachment-0001.h
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: diffmake.txt
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20061116/611317af/attachment-0002.txt
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ssh-encrypt.c
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20061116/611317af/attachment-0003.c
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: diff.txt
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20061116/611317af/attachment-0003.txt
More information about the openssh-unix-dev
mailing list