mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions
git-annex/doc/design/assistant/sshpassword.mdwn
Joey Hess 79cf404e75 support being run by ssh as ssh-askpass replacement 
To use, set GIT_ANNEX_SSHASKPASS to point to a fifo or regular file
(FIFO is better, avoids touching disk or multiple readers) that contains
the password. Then set SSH_ASKPASS=git-annex, and when ssh runs it, it will
tell ssh the password.

This is not yet used..
2014-04-29 18:08:10 -04:00

49 lines
2.2 KiB
Markdown
Raw Blame History

Currently the assistant sets up dedicated ssh keys, that can just use
git-annex. This is ok. The problem is that the initial 2 connections to the
ssh server when setting up these keys involve a password prompt, which is
done at the console unless the system happens to have a working ssh agent
that can pop up a dialog. That can be confusing.
It would be nice to have the webapp prompt for the password. Can it be done
securely?
This might come down to a simple change to the webapp to prompt for the
password, and then rather a lot of pain to make the webapp use HTTPS so we
can be pretty sure noone is sniffing the (localhost) connection.
## ssh-askpass approach
* If ssh-askpass is in PATH, or `SSH_ASKPASS` is set, do nothing.
(Unless webapp is run remotely.)
* Otherwise, have the assistant set `SSH_ASKPASS` to a command that will
cause the webapp to read the password and forward it on. Also, set
DISPLAY to ensure that ssh runs the program.
Looking at ssh.exe, I think this will even work on windows; it contains the
code to run ssh-askpass.
### securely handling the password
* Maybe force upgrade webapp to https? Locally, the risk would be that
root could tcpdump and read password, so not large risk. If webapp
is being accessed remotely, absolutely: require https.
* Use hs-securemem to store password.
* Avoid storing password for long. Erase it after webapp setup of remote
is complete. Time out after 10 minutes and erase it.
* Prompt using a html field name that does not trigger web browser password
saving if possible.
### ssh-askpass shim, and password forwarding
`SSH_ASKPASS` needs to be set to a program (probably git-annex)
which gets the password from the webapp, and outputs it to stdout.
Seems to call for the webapp and program to communicate over a local
socket (locked down so only user can access) or environment.
Environment is not as secure (easily snooped by root).
Local socket probably won't work on Windows. Could just use a temp file.
Note that the webapp can probe to see if ssh needs a password, and can
prompt the user for it before running ssh and the ssh-askpass shim.
This avoids some complexity, and perhaps some attack vectors,
if the shim cannot requst an arbitrary password prompt.
Reference in a new issue View git blame Copy permalink