Re: Unable to use ssh-agent with confirmation, when logged in on a virtual terminal

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



>I mostly found this option mentioned in connection with agent forwarding,
and that's  use  case I have.
>
>The benefit being that no one can use the 'forwarded' key/identity, unless
I confirm it. So me forwarding my identity to a server getting hacked does
not  compromise security.

I'm using the below script to prompt for confirmation when agent
forwarding. Please keep in mind the following disclaimer: I don't really
know what I'm doing. It works for me, but I don't fully understand all the
moving parts and that it works *for now* could just be a happy accident.

#!/bin/bash
set -o errexit
set -o nounset

# This script is useful when forwarding your agent to an untrusted
server. It works without X.
#
# To use this script, export DISPLAY=FAKE
SSH_ASKPASS=/path/to/this/script SSH_ASKPASS_TTY=$(tty)
# before you do eval `ssh-agent` (these variables should end up in the
environment ssh-agent runs in)
# Then add keys to the agent with ssh-add -c /path/to/key
# ssh-agent will then call this script to ask you for confirmation
when asked for that key.
#
# DISPLAY and SSH_ASKPASS must be set so this script will be called at
all. Once we're in this script,
# it is not clear what terminal we should ask for confirmation on,
since ssh-agent detaches from the tty.
# That's why we pass the tty in as an environment variable as well.

# Connect stdin, stdout, and stderr to the tty
exec 0<"$SSH_ASKPASS_TTY"
exec 1>"$SSH_ASKPASS_TTY"
exec 2>"$SSH_ASKPASS_TTY"

# We're most likely being called when the tty is already in used by
ssh, which changes tty settings.
# First set the tty to something sane, so we can ask for confirmation.
original_tty_settings=$(stty -g)
stty sane

# $@ is passed in from ssh-agent, and includes which key is being requested.
echo "$@"
# 5 second timeout
read -t5 answer

# Restore the tty settings that ssh was using.
stty "$original_tty_settings"

# Zero exit status means we approve this authentication request.
if [[ "$answer" == "y" ]]; then
  exit 0
fi

exit 1
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux