Mailing List Archive: OpenSSH: Dev

How to detect if key ssh-add'ed with '-c' or without?

Index | Next | Previous | View Threaded

n3rd at Safe-mail

Aug 31, 2012, 5:40 AM

Post #1 of 2 (211 views)
Permalink

How to detect if key ssh-add'ed with '-c' or without?

Hi all. Some background: I'm using my own wrapper script for ssh that deals with multitude of IP addresses, user accounts, keys and other ssh parameters for bunch of managed hosts.

On X session start i (actually, my script) load all my private keys with 'ssh-add -c', to get confirmation on every key usage.

This works bad with autossh, so i would like to add some logic: if I specify to run autossh with some host/user/key, the scipt will reload the private key without -c option (asking me for password). And maybe at the end of autossh session, reload the key back with 'ssh-add -c'.

So, how can i detect if key loaded with -c option or without?

'ssh-add -l' lacks such information.

My last guess is such: before actually start autossh it's possible to set some small script at SSH_ASKPASS, try to use the key, and if that script is launched, it means i need to reload the key without '-c'. Ugly.

PS: BTW there is also no way to get key expiration time (if set with 'ssh-add -t').
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

n3rd at Safe-mail

Aug 31, 2012, 6:18 AM

Post #2 of 2 (187 views)
Permalink

Re: How to detect if key ssh-add'ed with '-c' or without? [In reply to]

Damien, thank you for fast response!

Ok, i will just keep list of keys loaded with '-c' in some /tmp/file, and will correct it in process.

-------- Original Message --------
From: Damien Miller <djm [at] mindrot>
To: n3rd [at] Safe-mail
Cc: openssh-unix-dev [at] mindrot
Subject: Re: How to detect if key ssh-add'ed with '-c' or without?
Date: Fri, 31 Aug 2012 22:49:32 +1000 (EST)

> On Fri, 31 Aug 2012, n3rd [at] Safe-mail wrote:
>
> > Hi all. Some background: I'm using my own wrapper script for ssh that
> > deals with multitude of IP addresses, user accounts, keys and other
> > ssh parameters for bunch of managed hosts.
> >
> > On X session start i (actually, my script) load all my private keys
> > with 'ssh-add -c', to get confirmation on every key usage.
> >
> > This works bad with autossh, so i would like to add some logic: if I
> > specify to run autossh with some host/user/key, the scipt will reload
> > the private key without -c option (asking me for password). And maybe
> > at the end of autossh session, reload the key back with 'ssh-add -c'.
> >
> > So, how can i detect if key loaded with -c option or without?
>
> You can't, and you won't without a protocol extension to ssh-agent.
> At the moment the key query message and responses don't have fields
> to indicate whether any constraints were set. See PROTOCOL.agent
> in the OpenSSH source for details.
>
> It probably wouldn't be something that one would want to advertise to
> an attacker anyway, as stumbing over keys that require confirmation
> is the sort of thing that gives them away...
>
> > My last guess is such: before actually start autossh it's possible to
> > set some small script at SSH_ASKPASS, try to use the key, and if that
> > script is launched, it means i need to reload the key without '-c'.
> > Ugly.
>
> Worse, it won't work - SSH_ASKPASS needs to be set for ssh-agent, not
> ssh-add. So you can't reset it easily like this.
>
> > PS: BTW there is also no way to get key expiration time (if set
> > with 'ssh-add -t').
>
> Same problem - expiration times are key constrains like confirm-required.
>
> -d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads