2013-07-23 22:46:09 +00:00
|
|
|
Currently the assistant sets up dedicated ssh keys, that can just use
|
|
|
|
git-annex. This is ok. The problem is that the initial 2 connections to the
|
|
|
|
ssh server when setting up these keys involve a password prompt, which is
|
|
|
|
done at the console unless the system happens to have a working ssh agent
|
|
|
|
that can pop up a dialog. That can be confusing.
|
|
|
|
|
|
|
|
It would be nice to have the webapp prompt for the password. Can it be done
|
|
|
|
securely?
|
|
|
|
|
|
|
|
This might come down to a simple change to the webapp to prompt for the
|
|
|
|
password, and then rather a lot of pain to make the webapp use HTTPS so we
|
|
|
|
can be pretty sure noone is sniffing the (localhost) connection.
|
2014-04-25 20:28:58 +00:00
|
|
|
|
|
|
|
## ssh-askpass approach
|
|
|
|
|
2014-04-26 22:58:06 +00:00
|
|
|
* If ssh-askpass is in PATH, or `SSH_ASKPASS` is set, do nothing.
|
|
|
|
(Unless webapp is run remotely.)
|
2014-04-25 20:28:58 +00:00
|
|
|
* Otherwise, have the assistant set `SSH_ASKPASS` to a command that will
|
|
|
|
cause the webapp to read the password and forward it on. Also, set
|
|
|
|
DISPLAY to ensure that ssh runs the program.
|
|
|
|
|
|
|
|
Looking at ssh.exe, I think this will even work on windows; it contains the
|
|
|
|
code to run ssh-askpass.
|
|
|
|
|
|
|
|
### securely handling the password
|
|
|
|
|
|
|
|
* Maybe force upgrade webapp to https? Locally, the risk would be that
|
|
|
|
root could tcpdump and read password, so not large risk. If webapp
|
2014-04-25 20:34:33 +00:00
|
|
|
is being accessed remotely, absolutely: require https.
|
2014-04-25 20:28:58 +00:00
|
|
|
* Use hs-securemem to store password.
|
|
|
|
* Avoid storing password for long. Erase it after webapp setup of remote
|
|
|
|
is complete. Time out after 10 minutes and erase it.
|
2014-04-25 20:34:33 +00:00
|
|
|
* Prompt using a html field name that does not trigger web browser password
|
|
|
|
saving if possible.
|
2014-04-25 20:28:58 +00:00
|
|
|
|
|
|
|
### ssh-askpass shim, and password forwarding
|
|
|
|
|
|
|
|
`SSH_ASKPASS` needs to be set to a program (probably git-annex)
|
|
|
|
which gets the password from the webapp, and outputs it to stdout.
|
|
|
|
|
|
|
|
Seems to call for the webapp and program to communicate over a local
|
|
|
|
socket (locked down so only user can access) or environment.
|
|
|
|
Environment is not as secure (easily snooped by root).
|
|
|
|
Local socket probably won't work on Windows.
|
|
|
|
|
|
|
|
Note that the webapp can probe to see if ssh needs a password, and can
|
|
|
|
prompt the user for it before running ssh and the ssh-askpass shim.
|
|
|
|
This avoids some complexity, and perhaps some attack vectors,
|
|
|
|
if the shim cannot requst an arbitrary password prompt.
|