pak76_ml at yahoo.co.uk
Wed Nov 22 22:17:47 EST 2006
Not sure if you had time to go through the code.
Changes I did to OpenSSH are rather limited - OpenSSH
is written in such a way that I didn't have to change
communication channel between applications and
ssh-agent. Implementation of the ssh-decrypt was as
easy as establishing a new message, search the keys
and decrypting using the private key.
As I said it was just a very quick PoC, but if it is
of interest to OpenSSH, I can develop it correctly
over the next few days and have it up and ready on
One question regarding the interface. As ssh-agent can
have multiple keys, what would be the best way to
determine which one to use ? Sending the public part?
Currently I'm trying out all keys and it is not the
best possible option...
--- Jason <openssh at lakedaemon.net> wrote:
> Pawel Krupinski wrote:
> > I'm using ssh agent currently just to manage my
> > and practically they are used only to provide me
> > SSO to other ssh based systems. Why not use these
> > (or a separate ssh key pair) to protect passwords
> > things such as database?
> TrueCrypt/dmcrypt volumes?
> > To put it simple the way I see it is as follow.
> > passwords (apart from your main ssh password) will
> > stored encrypted using your ssh public key. After
> > logon, ssh-agent will be started and relevant
> > added. When a script will require access to a
> > password, it will:
> > 1. Retrieve the data from somewhere (outside the
> > scope);
> > 2. Decrypt using the ssh utlity (ssh-decrypt(?)) -
> > using ssh-agent or a file.
> > 3. Provide credentials back to script. Or will
> > the establised connection to the database. Or
(anyway, I think it is outside the scope ;-)).
> > The bit that cannot be done currently is number 2
> > OpenSSH doesn't provide ssh-decrypt functionality,
> > it is relatively easy to change it - I've played
> > OpenSSH 4.4/4.4p1 and it took me one evening
> (sorry -
> > it was my first approach to OpenSSH as a developer
> > ;-)) and 50 lines of code to implement it (based
> > the ssh-add tool using ssh-agent for decryption).
> > my solution, ssh-decrypt tool sends encrypted
> > to the ssh-agent, which decrypts it (without
> > any keys to the ssh-decrypt tool) and sends back
> > an error information or the plaintext password.
> > If it is something of interest for you, I can do
> > the development and provide you with all the code.
> Could you please email me the diff?
All New Yahoo! Mail Tired of Vi at gr@! come-ons? Let our SpamGuard protect you. http://uk.docs.yahoo.com/nowyoucan.html
More information about the openssh-unix-dev