| 1 |
On 5/28/06, John Jolet <john@×××××.net> wrote: |
| 2 |
> |
| 3 |
> |
| 4 |
> On May 28, 2006, at 11:21 AM, Kevin O'Gorman wrote: |
| 5 |
> |
| 6 |
> > On 5/27/06, John Jolet <john@×××××.net> wrote: |
| 7 |
> > That does not work for ssh/scp sessions. I usually test $PS1 to tell |
| 8 |
> > > if it's really a shell -- the variable does not even exist for an |
| 9 |
> > > scp session, |
| 10 |
> > > although .bashrc gets called. |
| 11 |
> > can you give us an example of what your .bashrc looks like? |
| 12 |
> > |
| 13 |
> > Well, the whole thing is kinda long, but the part I was fooling |
| 14 |
> > with lately |
| 15 |
> > now looks like this, and partly automates the use of ssh-agent for my |
| 16 |
> > (very frequent) use of ssh from home to some machines at work. The |
| 17 |
> > problem was probably either the "echo" commands or that this actually |
| 18 |
> > proceeds within a subshell. |
| 19 |
> > |
| 20 |
> > |
| 21 |
> > if [ "x" != "x$PS1" ] ; then |
| 22 |
> > SHELL_LOGIN=1 |
| 23 |
> > else |
| 24 |
> > # Probably scp; empty string is false |
| 25 |
> > SHELL_LOGIN= |
| 26 |
> > fi |
| 27 |
> > |
| 28 |
> > if [ -n "$SHELL_LOGIN" ] |
| 29 |
> > then |
| 30 |
> > if [ -z "$SSH_AGENT_PID" ] |
| 31 |
> > then |
| 32 |
> > # not yet running in ssh-agent |
| 33 |
> > ssh-agent /bin/bash |
| 34 |
> > r=$? |
| 35 |
> > echo Done with ssh-agent |
| 36 |
> > sleep 1 |
| 37 |
> > exit $r |
| 38 |
> > else |
| 39 |
> > # this is an ssh-agent subshell |
| 40 |
> > echo You may want to run ssh-add. |
| 41 |
> > fi |
| 42 |
> > fi |
| 43 |
> > |
| 44 |
> > -- |
| 45 |
> > Kevin O'Gorman, PhD |
| 46 |
> |
| 47 |
> well, you could comment out the "echo" commands and try it. |
| 48 |
> personally, I try to stay away from things happening automatically |
| 49 |
> for me. just my preference. I would rename .bashrc to something |
| 50 |
> else, like old.bashrc and do the scp and see if that works. |
| 51 |
> depending on what your needs are, you could also add a second user |
| 52 |
> with the same uid, but a different home directory and use that other |
| 53 |
> user for scp..... shrug. not a big fan of ssh_agent (or anything |
| 54 |
> that caches credentials). |
| 55 |
|
| 56 |
|
| 57 |
Sorry, I didn't make myself clear. PROBLEM SOLVED, and the .bashrc |
| 58 |
I quoted works fine. What I had to do was create the SHELL_LOGIN |
| 59 |
variable, and use it to protect the code that interfered with scp. |
| 60 |
|
| 61 |
I normally don't use that kind of automation either, but for security |
| 62 |
reasons |
| 63 |
I use a passphrase on my ssh identity, and it's long. Typing it a lot |
| 64 |
got real old, so I started using ssh_agent, but I use it in a lot of |
| 65 |
windows, |
| 66 |
so I'm just trying to balance convenience and security. Some days |
| 67 |
I do 20 or more scp operations. |
| 68 |
|
| 69 |
That's the usual balancing act -- if it's too inconvenient, I'll ditch the |
| 70 |
security and hope for the best. So this is what I came up with. |
| 71 |
|
| 72 |
What I'd really like is a way to get this set up when I log into KDE, |
| 73 |
so that all the windows I open under that login have an agent. I'm not |
| 74 |
worried about physical security on this system, but the possibility of |
| 75 |
a hacker break-in giving automatic access to other hosts. Thus the |
| 76 |
long passphrase on my private keyrings. |
| 77 |
|
| 78 |
I was also reluctant to use ssh-agent, but on reflection I don't see a |
| 79 |
real vulnerability. I use it on my home system, which is not exposed |
| 80 |
to others in the usual course of things. If somebody steals the computer, |
| 81 |
the loss of power un-caches the credentials, so I'm only vulnerable to |
| 82 |
someone physically sneaking in to *use* my computer and finding |
| 83 |
me logged in. Very unlikely, because when I leave the house I'm either |
| 84 |
logged off or my session is locked. I'm simply not a big enough fish |
| 85 |
for it to be reasonable anyone would do this. |
| 86 |
|
| 87 |
Of course, security issues are always a balancing act and you may |
| 88 |
figure the balance however you like. |
| 89 |
|
| 90 |
++ kevin |
| 91 |
|
| 92 |
-- |
| 93 |
Kevin O'Gorman, PhD |
Archives