Re: creative ssh-agent uses
On Sat, 09 Dec 2006, Rudi Cilibrasi wrote: Dear Ratiu, I am not sure I understand your situation, but maybe this can help? When creating an ssh-key using ssh-keygen, it prompts you for a passphrase. It isn't so obvious, but you can simply hit return at that point to have no passphrase. This means that the resulting key This is EXACTLY what I want to avoid. I use passphrase-less keys for some backups already, so I know the procedure. However, I'm trying to benefit from having the ssh session signed with my personal key, and somehow use that when mounting the dm-crypt/LUKS device where I backup my files. There are other people besides me that want to backup their laptops (containing personal data) to the same storage server, and we decided we didn't trust each other to the level where we would grant all our data to whoever knows the passwords. But we're lazy so we want to automate this :) I know there are other acceptable solutions (having the password written in a local file, or typing it every time), but they're not as nice. However, I'll go with one of them until I manage to put together a program that does what I want. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: creative ssh-agent uses
On Thu, 07 Dec 2006, Stefan Denker wrote: On Mon, Dec 04, 2006 at 09:25:38PM +0200, Ratiu Petru wrote: What I'm thinking is to provide a static string as a challenge and use the response as the cryptodevice password, but I can't find a program that allows me to manipulate the socket this way. This mechanism might also be used for other purposes, stacking public key authentication in a normal password-based login. I do not think this is a good idea. If the challenge is static, the response will be, too. Then you might be vulnerable to replay-Attacks. I perfectly understand. However, I _need_ a static password for cryptsetup, i just wanted to make it somehow dependent of the agent to skip prompting for it in the backup script. I am aware of the fact that someone who knows the password can mount the cryptsetup directly, I can't improve that. I found somewhere a script that was supposed to use ssh-agent like I wanted to (encrypt stuff through it), but all it did was to crash my agent :) The gpg-agent is a nice idea too, but we already have an existing ssh infrastructure and not all guys involved have gpg keys, so I'm trying to avoid that if possible. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
creative ssh-agent uses
It all started when i wanted to use a encrypted filesystem for my personal backups: I have a script that I run after I log in to the backup server, it asks me the passphrase for the encrypted storage, mounts it, and begins the rsync-over-ssh backup script which connects back to my workstation, all thanks to ssh-agent. I'd like to skip the enter the crypto password bit. Can it not be done with ssh-agent too? Cryptsetup can read the key from stdin, so all it's left is to provide something that identifies me as the owner of the forwarded ssh-agent and the backup session. According to what I read until now, authentication works by sending some random challenge to ssh-agent via the SSH_AUTH_SOCK socket, reading the response and applying the public key to it to verify it. Unfortunately, all this is done internally by sshd (if i'm not mistaken), with no way to control or see the challenge or the response. What I'm thinking is to provide a static string as a challenge and use the response as the cryptodevice password, but I can't find a program that allows me to manipulate the socket this way. This mechanism might also be used for other purposes, stacking public key authentication in a normal password-based login. I guess I am either missing an obvious security flaw to this, or it's unnecessarily complicated, because it seems there's no way to do this via standard programs. Of course, I might have just missed it ;-) Please help me shed some light on this. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Abwesenheit
On Fri, 2005-09-16 at 18:06 +0200, Horst Pflugstaedt wrote: Normally a reasonnably configured utoresponder will only send this message once. So actually most of these ppl _are_ subscribed to d-s. Normally a reasonably configured autoresponder recognizes mailing lists and ignores them. -- Ratiu Petru [EMAIL PROTECTED] System Administrator System Network Solutions -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]