n3rd at Safe-mail
Aug 31, 2012, 6:18 AM
Post #2 of 2
Damien, thank you for fast response!
Re: How to detect if key ssh-add'ed with '-c' or without?
[In reply to]
Ok, i will just keep list of keys loaded with '-c' in some /tmp/file, and will correct it in process.
-------- Original Message --------
From: Damien Miller <djm [at] mindrot>
To: n3rd [at] Safe-mail
Cc: openssh-unix-dev [at] mindrot
Subject: Re: How to detect if key ssh-add'ed with '-c' or without?
Date: Fri, 31 Aug 2012 22:49:32 +1000 (EST)
> On Fri, 31 Aug 2012, n3rd [at] Safe-mail wrote:
> > Hi all. Some background: I'm using my own wrapper script for ssh that
> > deals with multitude of IP addresses, user accounts, keys and other
> > ssh parameters for bunch of managed hosts.
> > On X session start i (actually, my script) load all my private keys
> > with 'ssh-add -c', to get confirmation on every key usage.
> > This works bad with autossh, so i would like to add some logic: if I
> > specify to run autossh with some host/user/key, the scipt will reload
> > the private key without -c option (asking me for password). And maybe
> > at the end of autossh session, reload the key back with 'ssh-add -c'.
> > So, how can i detect if key loaded with -c option or without?
> You can't, and you won't without a protocol extension to ssh-agent.
> At the moment the key query message and responses don't have fields
> to indicate whether any constraints were set. See PROTOCOL.agent
> in the OpenSSH source for details.
> It probably wouldn't be something that one would want to advertise to
> an attacker anyway, as stumbing over keys that require confirmation
> is the sort of thing that gives them away...
> > My last guess is such: before actually start autossh it's possible to
> > set some small script at SSH_ASKPASS, try to use the key, and if that
> > script is launched, it means i need to reload the key without '-c'.
> > Ugly.
> Worse, it won't work - SSH_ASKPASS needs to be set for ssh-agent, not
> ssh-add. So you can't reset it easily like this.
> > PS: BTW there is also no way to get key expiration time (if set
> > with 'ssh-add -t').
> Same problem - expiration times are key constrains like confirm-required.
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot