ssh could have a grace period a la sudo

Darren Tucker dtucker at zip.com.au
Sun Aug 30 23:22:02 EST 2009


Dave Yost wrote:
> Hi.
> 
> It would be nice to be able to configure sshd so that the following 
> would work:
> 
> After a successful password-authenticated connection from client user x 
> on client host y, subsequent connections from client user x on client 
> host y within a (resetting) time limit would succeed without 
> re-authenticating via password.

There's already the capability for doing the first part of this in the 
client, where an existing connection can be reused without 
reauthentication.  See ControlMaster and ControlPath in ssh_config(5).

In fact, if you're willing to write a little program, you can probably 
(ab)use LocalCommand to get the keepalive/timeout behaviour you want. 
It just needs to touch the control socket at startup, then wait for the 
socket to either become older than the timeout (at which point it's 
deleted) or removed (because another instance deleted it).

Consider the following ~/.ssh/config

Host foo
   ControlMaster auto
   ControlPath ~/.ssh/%r@%h:%p
   PermitLocalCommand yes
   LocalCommand ~/bin/timeout_controlpath ~/.ssh/%r@%h:%p 60 &

and a ~/bin/timeout_controlpath that looks like:

#!/usr/bin/perl
($path, $timeout) = @ARGV;
utime undef, undef, $path;  # update mtime
while (sleep 1) {
   $age = (stat($path))[9] || exit;  # socket removed
   if ($age + $timeout < time) {
     unlink $path;
     exit;
   }
}

> Perhaps this would be achieved by sshd sending the client ssh a key that 
> the client would save in a file in its .ssh folder, to be used for 
> authentication on subsequent connections. After a timeout (which resets 
> on re-use), sshd would no longer accept this key. If the client tries 
> and fails to authenticate with this cached key, the client deletes the 
> stored-key file.

That would require a protocol extension and seems kinda dangerous.  It 
also wouldn't work if the client was configured to only try password 
authentication.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list