It all started when i wanted to use a encrypted filesystem for my personal backups: I have a script that I run after I log in to the backup server, it asks me the passphrase for the encrypted storage, mounts it, and begins the rsync-over-ssh backup script which connects back to my workstation, all thanks to ssh-agent.
I'd like to skip the "enter the crypto password" bit. Can it not be done with ssh-agent too? Cryptsetup can read the key from stdin, so all it's left is to provide something that identifies me as the owner of the forwarded ssh-agent and the backup session. According to what I read until now, authentication works by sending some random challenge to ssh-agent via the SSH_AUTH_SOCK socket, reading the response and applying the public key to it to verify it. Unfortunately, all this is done internally by sshd (if i'm not mistaken), with no way to control or see the challenge or the response. What I'm thinking is to provide a static string as a challenge and use the response as the cryptodevice password, but I can't find a program that allows me to manipulate the socket this way. This mechanism might also be used for other purposes, stacking public key authentication in a "normal" password-based login. I guess I am either missing an obvious security flaw to this, or it's unnecessarily complicated, because it seems there's no way to do this via standard programs. Of course, I might have just missed it ;-) Please help me shed some light on this. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]