1 |
On 5/28/06, John Jolet <john@×××××.net> wrote: |
2 |
> |
3 |
> |
4 |
> On May 28, 2006, at 11:21 AM, Kevin O'Gorman wrote: |
5 |
> |
6 |
> > On 5/27/06, John Jolet <john@×××××.net> wrote: |
7 |
> > That does not work for ssh/scp sessions. I usually test $PS1 to tell |
8 |
> > > if it's really a shell -- the variable does not even exist for an |
9 |
> > > scp session, |
10 |
> > > although .bashrc gets called. |
11 |
> > can you give us an example of what your .bashrc looks like? |
12 |
> > |
13 |
> > Well, the whole thing is kinda long, but the part I was fooling |
14 |
> > with lately |
15 |
> > now looks like this, and partly automates the use of ssh-agent for my |
16 |
> > (very frequent) use of ssh from home to some machines at work. The |
17 |
> > problem was probably either the "echo" commands or that this actually |
18 |
> > proceeds within a subshell. |
19 |
> > |
20 |
> > |
21 |
> > if [ "x" != "x$PS1" ] ; then |
22 |
> > SHELL_LOGIN=1 |
23 |
> > else |
24 |
> > # Probably scp; empty string is false |
25 |
> > SHELL_LOGIN= |
26 |
> > fi |
27 |
> > |
28 |
> > if [ -n "$SHELL_LOGIN" ] |
29 |
> > then |
30 |
> > if [ -z "$SSH_AGENT_PID" ] |
31 |
> > then |
32 |
> > # not yet running in ssh-agent |
33 |
> > ssh-agent /bin/bash |
34 |
> > r=$? |
35 |
> > echo Done with ssh-agent |
36 |
> > sleep 1 |
37 |
> > exit $r |
38 |
> > else |
39 |
> > # this is an ssh-agent subshell |
40 |
> > echo You may want to run ssh-add. |
41 |
> > fi |
42 |
> > fi |
43 |
> > |
44 |
> > -- |
45 |
> > Kevin O'Gorman, PhD |
46 |
> |
47 |
> well, you could comment out the "echo" commands and try it. |
48 |
> personally, I try to stay away from things happening automatically |
49 |
> for me. just my preference. I would rename .bashrc to something |
50 |
> else, like old.bashrc and do the scp and see if that works. |
51 |
> depending on what your needs are, you could also add a second user |
52 |
> with the same uid, but a different home directory and use that other |
53 |
> user for scp..... shrug. not a big fan of ssh_agent (or anything |
54 |
> that caches credentials). |
55 |
|
56 |
|
57 |
Sorry, I didn't make myself clear. PROBLEM SOLVED, and the .bashrc |
58 |
I quoted works fine. What I had to do was create the SHELL_LOGIN |
59 |
variable, and use it to protect the code that interfered with scp. |
60 |
|
61 |
I normally don't use that kind of automation either, but for security |
62 |
reasons |
63 |
I use a passphrase on my ssh identity, and it's long. Typing it a lot |
64 |
got real old, so I started using ssh_agent, but I use it in a lot of |
65 |
windows, |
66 |
so I'm just trying to balance convenience and security. Some days |
67 |
I do 20 or more scp operations. |
68 |
|
69 |
That's the usual balancing act -- if it's too inconvenient, I'll ditch the |
70 |
security and hope for the best. So this is what I came up with. |
71 |
|
72 |
What I'd really like is a way to get this set up when I log into KDE, |
73 |
so that all the windows I open under that login have an agent. I'm not |
74 |
worried about physical security on this system, but the possibility of |
75 |
a hacker break-in giving automatic access to other hosts. Thus the |
76 |
long passphrase on my private keyrings. |
77 |
|
78 |
I was also reluctant to use ssh-agent, but on reflection I don't see a |
79 |
real vulnerability. I use it on my home system, which is not exposed |
80 |
to others in the usual course of things. If somebody steals the computer, |
81 |
the loss of power un-caches the credentials, so I'm only vulnerable to |
82 |
someone physically sneaking in to *use* my computer and finding |
83 |
me logged in. Very unlikely, because when I leave the house I'm either |
84 |
logged off or my session is locked. I'm simply not a big enough fish |
85 |
for it to be reasonable anyone would do this. |
86 |
|
87 |
Of course, security issues are always a balancing act and you may |
88 |
figure the balance however you like. |
89 |
|
90 |
++ kevin |
91 |
|
92 |
-- |
93 |
Kevin O'Gorman, PhD |