ssh-decrypt

Pawel Krupinski pak76_ml at yahoo.co.uk
Wed Nov 22 22:17:47 EST 2006


Hi,

Not sure if you had time to go through the code.
Changes I did to OpenSSH are rather limited - OpenSSH
is written in such a way that I didn't have to change
communication channel between applications and
ssh-agent. Implementation of the ssh-decrypt was as
easy as establishing a new message, search the keys
and decrypting using the private key.

As I said it was just a very quick PoC, but if it is
of interest to OpenSSH, I can develop it correctly
over the next few days and have it up and ready on
Monday.

One question regarding the interface. As ssh-agent can
have multiple keys, what would be the best way to
determine which one to use ? Sending the public part?
Currently I'm trying out all keys and it is not the
best possible option...

Thanks,
pak76

--- Jason <openssh at lakedaemon.net> wrote:

> Pawel Krupinski wrote:
> [snip]
> > I'm using ssh agent currently just to manage my
> keys
> > and practically they are used only to provide me
> with
> > SSO to other ssh based systems. Why not use these
> keys
> > (or a separate ssh key pair) to protect passwords
> to
> > things such as database? 
> 
> TrueCrypt/dmcrypt volumes?
> 
> > To put it simple the way I see it is as follow.
> Your
> > passwords (apart from your main ssh password) will
> be
> > stored encrypted using your ssh public key. After
> > logon, ssh-agent will be started and relevant
> key(s)
> > added. When a script will require access to a
> > password, it will:
> > 1. Retrieve the data from somewhere (outside the
> > scope);
> > 2. Decrypt using the ssh utlity (ssh-decrypt(?)) -
> > using ssh-agent or a file.
> > 3. Provide credentials back to script. Or will
> create
> > the establised connection to the database. Or
> > 
(anyway, I think it is outside the scope ;-)).
> >  
> > The bit that cannot be done currently is number 2
> -
> > OpenSSH doesn't provide ssh-decrypt functionality,
> but
> > it is relatively easy to change it - I've played
> with
> > OpenSSH 4.4/4.4p1 and it took me one evening
> (sorry -
> > it was my first approach to OpenSSH as a developer
> > ;-)) and 50 lines of code to implement it (based
> on
> > the ssh-add tool using ssh-agent for decryption).
> In
> > my solution, ssh-decrypt tool sends encrypted
> secret
> > to the ssh-agent, which decrypts it (without
> sending
> > any keys to the ssh-decrypt tool) and sends back
> just
> > an error information or the plaintext password. 
> [snip]
> 
> > If it is something of interest for you, I can do
> all
> > the development and provide you with all the code.
> 
> Could you please email me the diff?
> 
> thx,
> 
> Jason.
> 



		
___________________________________________________________ 
All New Yahoo! Mail – Tired of Vi at gr@! come-ons? Let our SpamGuard protect you. http://uk.docs.yahoo.com/nowyoucan.html


More information about the openssh-unix-dev mailing list