ssh could have a grace period a la sudo
Darren Tucker
dtucker at zip.com.au
Sun Aug 30 23:22:02 EST 2009
Dave Yost wrote:
> Hi.
>
> It would be nice to be able to configure sshd so that the following
> would work:
>
> After a successful password-authenticated connection from client user x
> on client host y, subsequent connections from client user x on client
> host y within a (resetting) time limit would succeed without
> re-authenticating via password.
There's already the capability for doing the first part of this in the
client, where an existing connection can be reused without
reauthentication. See ControlMaster and ControlPath in ssh_config(5).
In fact, if you're willing to write a little program, you can probably
(ab)use LocalCommand to get the keepalive/timeout behaviour you want.
It just needs to touch the control socket at startup, then wait for the
socket to either become older than the timeout (at which point it's
deleted) or removed (because another instance deleted it).
Consider the following ~/.ssh/config
Host foo
ControlMaster auto
ControlPath ~/.ssh/%r@%h:%p
PermitLocalCommand yes
LocalCommand ~/bin/timeout_controlpath ~/.ssh/%r@%h:%p 60 &
and a ~/bin/timeout_controlpath that looks like:
#!/usr/bin/perl
($path, $timeout) = @ARGV;
utime undef, undef, $path; # update mtime
while (sleep 1) {
$age = (stat($path))[9] || exit; # socket removed
if ($age + $timeout < time) {
unlink $path;
exit;
}
}
> Perhaps this would be achieved by sshd sending the client ssh a key that
> the client would save in a file in its .ssh folder, to be used for
> authentication on subsequent connections. After a timeout (which resets
> on re-use), sshd would no longer accept this key. If the client tries
> and fails to authenticate with this cached key, the client deletes the
> stored-key file.
That would require a protocol extension and seems kinda dangerous. It
also wouldn't work if the client was configured to only try password
authentication.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list