65 lines
2.8 KiB
Markdown
65 lines
2.8 KiB
Markdown
Currently the assistant sets up dedicated ssh keys, that can just use
|
|
git-annex. This is ok. The problem is that the initial 2 connections to the
|
|
ssh server when setting up these keys involve a password prompt, which is
|
|
done at the console unless the system happens to have a working ssh agent
|
|
that can pop up a dialog. That can be confusing.
|
|
|
|
It would be nice to have the webapp prompt for the password. Can it be done
|
|
securely?
|
|
|
|
This might come down to a simple change to the webapp to prompt for the
|
|
password, and then rather a lot of pain to make the webapp use HTTPS so we
|
|
can be pretty sure noone is sniffing the (localhost) connection.
|
|
|
|
## ssh-askpass approach
|
|
|
|
* If ssh-askpass is in PATH, or `SSH_ASKPASS` is set, do nothing.
|
|
(Unless webapp is run remotely.)
|
|
XXX not currently done; the UI would need to omit the password entry
|
|
fields in this case.
|
|
* Otherwise, have the assistant set `SSH_ASKPASS` to a command that will
|
|
cause the webapp to read the password and forward it on. Also, set
|
|
DISPLAY to ensure that ssh runs the program. **done**
|
|
|
|
Looking at ssh.exe, I think this will even work on Windows; it contains the
|
|
code to run ssh-askpass. (It does work on Windows!)
|
|
|
|
### securely handling the password
|
|
|
|
* Maybe force upgrade webapp to https? Locally, the risk would be that
|
|
root could tcpdump and read password, so not large risk. If webapp
|
|
is being accessed remotely, absolutely: require https.
|
|
* Use hs-securemem to store password.
|
|
* Avoid storing password for long. Erase it after webapp setup of remote
|
|
is complete. Time out after 10 minutes and erase it. **done**
|
|
* If the user is slow, the cached ssh key can exire before they finish.
|
|
This results in ssh being given no password, and failing. The UI
|
|
now detects this and suggests the user retry. **done**
|
|
* Prompt using a html field name that does not trigger web browser password
|
|
saving if possible.
|
|
|
|
### ssh-askpass shim, and password forwarding
|
|
|
|
`SSH_ASKPASS` needs to be set to a program (probably git-annex)
|
|
which gets the password from the webapp, and outputs it to stdout. **done**
|
|
|
|
Seems to call for the webapp and program to communicate over a local
|
|
socket (locked down so only user can access) or environment.
|
|
Environment is not as secure (easily snooped by root).
|
|
Local socket probably won't work on Windows. Could just use a temp file.
|
|
|
|
(Currently uses a temp file with locked down perms that it's careful
|
|
to clean up after use.)
|
|
|
|
Note that the webapp can probe to see if ssh needs a password, and can
|
|
prompt the user for it before running ssh and the ssh-askpass shim.
|
|
This avoids some complexity, and perhaps some attack vectors,
|
|
if the shim cannot requst an arbitrary password prompt.
|
|
(This complexity not needed with the temp file approach..)
|
|
|
|
### TODO
|
|
|
|
* test on OSX
|
|
* test on Android
|
|
* remove the vestigial terminal on Windows and Android, since this was the
|
|
last thing actually using it (not easy!)
|