×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

109 comments

Manage this (-1)

ubertroll (153053) | more than 12 years ago | (#2272069)

\ |\ \
| / \ \
| | \ \
| | \ \ __
/ \ \ \/__|__,,..---v--.
| |__,,\.--"""\/ | \
| | \ _>
| | _ _ _ _ | /
| | /_v_v_v_\..---""'`-'
| | __,,.| | | | |
| / \ \_h_h_h_/
| | |
| | | eeeee e e eeee e e
\ |\ | 8 " 8 8 8 8 8 8
\ | \___/ 8eeee 8e 8 8e 8eee8e
\ | 88 88 8 88 88 8
\ | 8ee88 88ee8 88e8 88 8
| |
| | eeeeeee e e eeeee e eeee e e
| | 8 8 8 8 8 8 8 8 8 8 8 8
| | 8e 8 8 8eeee8 8e 8 8e 8e 8eee8e
| | 88 8 8 88 88 8 88 88 88 8
| | 88 8 8 88 88ee8 88 88e8 88 8
| |
| |

I've seen him! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2272070)

Bobby Fischer Lives!!!

Blame Adequacy! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2272073)

BLAME ADEQUACY

Times have changed.
The trolls are getting worse.
They won't obey the admins,
They just want to spam and curse!

Should we blame the Geekizoid?
Or Slashdot 2.3?
Should we be blaming Kuro5hin's Rusty?

No! Blame Adequacy!
Blame Adequacy!
With their flaming little whines,
And trolling posts so full of lies!

Blame Adequacy! Blame Adequacy!
It's the trolls' brand new assult,
And it's Adequacy's fault!

Don't blame Slash,
For my friend Jim,
He went to Adequacy,
And now he acts like Michael Simms!

All my other friends,
Would never have acted like rats,
But now they're indistinguishable from Katz!

Well, blame Adequacy!
Blame Adequacy!
It seems the trolls have gotten long,
Since Adequacy came along!
Blame Adequacy! Blame Adequacy!
They're not even a cool website anyway.

My friends were once the very very best of karma whores,
But now they're ranting raving frothing trolling right-wing bores!

Should we blame the spammers,
Or those who moderate?
Or should we sit around and masturbate?

No way!

Blame Adequacy! Blame Adequacy!
Self-righteous trolling that we see,
And that bitch "nakedac",

Blame Adequacy,
Shame on Adequacy,
The nerds we must herd,
The crap we must tap,
The trolls at that place,
Must all be erased,
The fascists we see must all cease to be,
Before somebody thinks of blaming me!

Haiku (-1, Offtopic)

ShoeHead (40158) | more than 12 years ago | (#2272077)

Many linux geeks,
Windows needs security,
Mass converts needed?

Re:Haiku (-1)

ubertroll (153053) | more than 12 years ago | (#2272078)

db d888888b d8b db db db db db
88 `88' 888o 88 88 88 `8b d8'
88 88 88V8o 88 88 88 `8bd8'
88 88 88 V8o88 88 88 .dPYb.
88booo. .88. 88 V888 88b d88 .8P Y8.
Y88888P Y888888P VP V8P ~Y8888P' YP YP

.d8888. db db db db .d88b. d8888b. d88888D
88' YP 88 88 `8b d8' .8P 88. 88 `8D YP d8'
`8bo. 88 88 `8bd8' 88 d'88 88oobY' d8'
`Y8b. 88 88 .dPYb. 88 d' 88 88`8b d8'
db 8D 88b d88 .8P Y8. `88 d8' 88 `88. d8' db
`8888Y' ~Y8888P' YP YP `Y88P' 88 YD d88888P

PLEASE SUPPORT OPEN SOURCE GNUHAIKU! (-1, Redundant)

Anonymous Coward | more than 12 years ago | (#2272107)

GnuHaiku rocks
But Open Source sucks my sack
It is ironic

RELEASED UNDER THE GNU PUBLIC LICENSE

Re:Haiku (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2272140)

I have nothing to do with the posts after me. I try and write a simple, somewhat-funny response to a topic I obviously know nothing about (non-*nix guy here) and get modded to offtopic.

Thanks.

Easier way? (4, Informative)

Anonymous Coward | more than 12 years ago | (#2272089)

Debian's XDM will start X with ssh-agent if its installed....

$ cat .xsession
...
(ssh-add
xterm -e ssh -X host1&
xterm -e ssh -X -1 otherhost &)&
...
exec pwm
$

the ssh-add will pop up ssh-askpass and then log you in to all your hosts. And since X was started using ssh-agent, you never have to type in your passwords or passphrase for the entire session.

If your not using debian I think you can just run
$ ssh-agent startx

-Justin

PLEASE SUPPORT OPEN SOURCE GNUHAIKU! (-1, Redundant)

Anonymous Coward | more than 12 years ago | (#2272113)

You use many words
To describe a stupid task
Use Windows 2k

RELEASED UNDER THE GNU PUBLIC LICENSE

Or if you want to automate it even more (4, Interesting)

Bronster (13157) | more than 12 years ago | (#2272132)

[~]$ cat .bashrc
...
SSH_AUTH_SOCK=`/bin/ls /tmp/ssh-*/agent.* | cut -f1 -d\ '
export SSH_AUTH_SOCK
...
[~]$

This works because the /bin/ls line with the pattern above will only get sockets that you can read, which means either owned by you or you are root (lucky you). It grabs the first one, which is fine for non-root users, though not wonderful if you're root - then again root shouldn't be doing this anyway.

It works from the console too!

P.S. - remember to nuke that agent when you've finished, otherwise anyone else who can get in as you has privs on every box that trusts you.

Re:Easier way? (3, Informative)

jdavidb (449077) | more than 12 years ago | (#2272161)

I read the first article in this series, and since then I've learned all sorts of things about secure shell. Here's my recommendations (similar to the above) for making your life easy and secure:



Create a DSA public key/private key pair:



$ ssh-keygen -t dsa



You'll be prompted to enter an encryption passphrase to protect your private key in the event that your account is compromised.



Copy (scp) the public key to other hosts you want to be able to get to easily and securely:



$ scp ~/.ssh/id_dsa.pub remotehost:



Connect to the other hosts and add this public key to your list of authorized keys:



$ ssh remotehost
$ cat id_dsa.pub >> ~/.ssh/authorized_keys2
$ exit



Presuming you are running X (specifically this worked for me with Gnome under RedHat 7.1; probably very applicable everywhere else), setup a .xsession file with these contents:



cat > .xsession
#!/bin/sh

exec /usr/bin/ssh-agent sh -c '/usr/bin/ssh-add & sleep 5; exec /usr/bin/gnome-session'



Now logout and log back in. You'll be prompted for the encryption phrase you entered for your DSA private key. Now you'll be able to ssh to the remote hosts you setup the authorized_keys2 file for without typing a password or an encryption passphrase!



I was able to ssh into my Windows NT machine at work from my Linux machine at work using this technique. I had ssh installed with cygwin [cygwin.com]. You have to setup a host key for the Windows machine with this command:



$ ssh-keygen -t dsa -f /etc/ssh_host_dsa_key -N ''



And then you have to start the server:



$ /usr/sbin/sshd



Then put your public key into the authorized_keys2 file on the Windows machine. You may need to connect as "Administrator":



linux$ ssh Administrator@winnt



You really need to try to understand how all this works to be able to make good informed decisions about security. Read some good accounts of basic public key/private key encryption (RSA/PGP) to start. If you already know how PGP works, the public key authentication of ssh (which keeps you from having to type a password) works very similarly: the ssh client basically provides a signature using the private key which the server on the remote host checks against the public key to validate your identity. Plus, this protects against the password keypress timing "attack" mentioned a week or two ago.



Be sure to always verify the host key signature of a machine you ssh to for the first time. This protects you against the man-in-the-middle attack, the only real vulnerability ssh has. (If you always verify that long hex string with the real value, you'll never be compromised.) If you need the hex host key signature for a machine, you can get it by typing:



$ ssh-keygen -l -f /etc/ssh_host_rsa_key.pub



But only do this in a verified connection, such as on the console.



BTW, many exact paths may vary. You may find things in /usr/local instead of /usr. You may find ssh config files in /etc/ssh instead of /etc. You also probably want to review manpages, look up the command-line options I used, decide between DSA and RSA, etc. Have fun!



That about sums up four weeks of learning or so for you. I hope others can benefit from what I've learned. Now I plan to go read that second article and see what else I can learn!

Re:Easier way? (2)

Dwonis (52652) | more than 12 years ago | (#2272177)

Copy (scp) the public key to other hosts you want to be able to get to easily and securely:

$ scp ~/.ssh/id_dsa.pub remotehost:

Connect to the other hosts and add this public key to your list of authorized keys:

$ ssh remotehost
$ cat id_dsa.pub >> ~/.ssh/authorized_keys2
$ exit

There's an even easier way:

$ ssh remotehost 'cat >> ~/.ssh/authorized_keys2' < ~/.ssh/id_dsa.pub

Re:Easier way? (2)

Alan (347) | more than 12 years ago | (#2272239)

Or even easier, there is a program called "ssh-copy-id" (in debian anyway) that does just that :)

Actually, it only does it for ssh1 keys, but that's easy enough to change :)

Re:Easier way? (1)

armb (5151) | more than 12 years ago | (#2272492)

> Plus, this protects against the password keypress timing "attack" mentioned a week or two ago.

No it doesn't, because that was about passwords sent over ssh, not the actual ssh password itself.

Re:Easier way? (1)

jdavidb (449077) | more than 12 years ago | (#2272742)

Yes it does, because it prevents you from sending your password over ssh, because that's what that was about.



The idea is you are authenticating yourself with public key encryption instead of sending your password over ssh. Not sending your password over ssh very definitely protects against attacks that work by timing the keypresses in your password sent over ssh.

Re:Easier way? (3, Informative)

Webmonger (24302) | more than 12 years ago | (#2272207)

Perhaps it would help if you read the article. Under "Limitations of ssh-agent", it lists the problems that Keychain solves.

The advantages of Keychain are
1. You only need to do it once each time you start your computer. For those of us who leave our boxes running for months or more, there is a significant difference between boots and sessions.

2. you can use it for cron jobs. That means you can securely perform remote operations without using unencrypted keys.

Yeah, if all you want is ssh-agent, ssh-agent might be easier. But for people who need it, keychain is key.

And by the way, I run Debian, and I don't even have an .xsession file.

Re:Easier way? (2, Informative)

Alan (347) | more than 12 years ago | (#2272235)

$ vi .xsession
(creates new file)
(paste from above)
:x
$

Now you do :) That's what I did on my unstable box anyway.

Re:Easier way? (1)

pjl5602 (150416) | more than 12 years ago | (#2272298)

1. You only need to do it once each time you start your computer. For those of us who leave our boxes running for months or more, there is a significant difference between boots and sessions.

Are the two really different (reboots and X sessions?)&nbsp They certainly aren't for me.

2. you can use it for cron jobs. That means you can securely perform remote operations without using unencrypted keys.

Hmmmm.&nbsp As described in the article, putting the keychain in the .bashrc file would not work for cronjobs. From the BASH(1) man page in the INVOCATION section:

If bash is invoked with the name sh, it tries to mimic the
startup behavior of historical versions of sh as closely
as possible, while conforming to the POSIX standard as
well.
...
A non-interactive shell invoked with the name sh does
not attempt to read any other startup files.


On my system (RedHat), cron executes commands with /bin/sh.

Re:Easier way? (2)

Webmonger (24302) | more than 12 years ago | (#2272719)

1. Yep. I leave my work machine on all the time, but I log in each morning, and log out each night.

2. The writer should definitely have been more specific about cron useage, but I think you're supposed to run a script from cron, then run keychain from the script.

Gotta love OpenBSD for making OpenSSH! (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2272254)

Damn, those OpenBSD people who made OpenSSH rock muh w0rld! Thx OpenBSD! Nice to see it working in Linux too... *BSD rockz!

Re:Gotta love OpenBSD for making OpenSSH! (0)

Anonymous Coward | more than 12 years ago | (#2272259)

I'm happy about it too. Only one problem. OpenBSD sux0r u4 ass.

Re:Easier way? (2)

cabbey (8697) | more than 12 years ago | (#2272269)

So will SuSE, just change a variable in one of the config files and XDM/KDM/etc will run your entire desktop session under ssh-agent.

But that woudn't let him plug his pet project now would it? ;)

He does allow one benefit though for folks that either don't use a desktop manager, or telnet into a box multiple times... but then who does that? I mean seriously, once you setup your desktop properly, and use agent forwarding (which he didn't even mention iirc) well, by then there's no reason you should have an agent runnign anywhere other than the machine you're sitting in front of.

I'm not sure if the cronjob argument is a benefit or not... should be easy enough to salt those variables away yourself if you wanted.

Re:Easier way? (2)

hbo (62590) | more than 12 years ago | (#2272285)

The invocation of xdm on Debian must be something like:


ssh-agent xdm


Which gives the ssh-add commands something to talk to. Absent that sort of thing, merely doing ssh-agent xdm is only half the battle. I have two scripts. The first, in the best tradition of programmer laziness. just saves me typing one extra word when I start X. I call it ssx:

#!/bin/sh
ssh-agent stx

and stx has:

ssh-add
startx

Still, that keychain thingie sounds interesting. I have a gut reaction that "long lived ssh-agent" processes are a Bad Thing. But so far, I can't think of a specific reason why they would be that doesn't also apply to any other use of ssh-agent.

So ? (0)

Anonymous Coward | more than 12 years ago | (#2272511)

So does (Ximian/RH) Gnome's xinit

Re:Easier way? (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2272554)

Lots of easier ways!!!

Why did this article make it to slashdot ?

This guy is a dork.

This is just wrong (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#2272095)

I am very concerned about this. The Open Sores movement has been an annoying thorn in free american's sides for quite some time but this is going just a bit too far. You people are encrypting your communications, which make it impossible for our country's finest to keep you pimply faced little nerds in check. Stop destroying the ability for our government to govern this country, stop destroying our country by attacking microsoft (who have put in countless hours and money into innovation of great american products, and your little nerd shit is no match for it), just grow up and get a life!

You people have no concept of what it means to be american. Thank god people like me and corporations like microsoft are here to stand in check. You might be dancing in the sunshine now, but rest assured you little fucking nerds, your day of reckoning will come.

Re:This is just wrong (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2272106)

I agree with you about MS software. I mean, with the American economy in the state it is now, great American businesses like Microsoft should be rewarded with our support! They make GREAT products at REASONABLE prices. This is what capitalism is all about. Microsoft is a shining example of all that is American. I don't know what is wrong with Slashdot geeks -- they think it's "hip" to fight against the establishment. But what they fail to realize is, without great corporations like Microsoft, a) their parents will be out of a job, which leads to b) they won't be able to buy new computers for their little geek children, and c) no more great American developed software products like Windows, Office, etc. will be developed. Grow up, nerds! ;P

Re:This is just wrong (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#2272127)

As I thought, moderated down because my opinions were not agreed with. This is shameful, and I hope it will be corrected in meta-mod.

Re:This is just wrong (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2272137)

It's not flamebait! God damn you moderators are on crack! The guy was just posting his opinion, and I for one am one of the (minority, it seems, on Slashdot anyway) posters who agree with him. If you can't moderate properly, DON'T MODERATE AT ALL.

Re:This is just wrong (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2272272)

Fucking troll, suck my ass.

Re:This is just wrong (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2272341)

Oh yeah, cocksmoker? Wanna take it outside? I'm tired of you little pisante geeks trying to talk tough. You make me laugh. If Matrix were here, he'd laugh too.

But who is Egg Troll? (-1)

egg troll (515396) | more than 12 years ago | (#2272111)

I think the best way to explain myself is this:

Well, you can tell by the way I use my walk,
I'm a woman's man: no time to talk.
Music loud and women warm, I've been kicked around
since I was born.
And now it's all right. It's OK.
And you may look the other way.
We can try to understand
the New York Times' effect on man.

Whether you're a brother or whether you're a mother,
you're stayin' alive, stayin' alive.
Feel the city breakin' and everybody shakin',
and we're stayin' alive, stayin' alive.
Ah, ha, ha, ha, stayin' alive, stayin' alive.
Ah, ha, ha, ha, stayin' alive.

Life goin' nowhere. Somebody help me.
Somebody help me, yeah.
Life goin' nowhere. Somebody help me.
Somebody help me, yeah. Stayin' alive.

A picture is worth more than 1000 words (-1)

ubertroll (153053) | more than 12 years ago | (#2272120)

This is Egg Troll:


* g o a t s e x * g o a t s e x * g o a t s e x *
g g
o / \ \ / \ o
a| | \ | | a
t| `. | | : t
s` | | \| | s
e \ | / / \\\ -- \\ : e
x \ \/ --~~ ~--| \ | x
* \ \-~ ~-\ | *
g \ \ .--------.__\| | g
o \ \_// ((> \ | o
a \ . C ) _ ((> | / a
t /\ | C )/ \ (> |/ t
s / /\| C) | (> / \ s
e | ( C__)\__/ // / / \ e
x | \ | \\__// (/ | x
* | \ \) `---- --' | *
g | \ \ / / | g
o | / | | \ | o
a | | / \ \ | a
t | / / | | \ |t
s | / / \/\/ | |s
e | / / | | | |e
x | | | | | |x
* g o a t s e x * g o a t s e x * g o a t s e x *

PLEASE SUPPORT OPEN SOURCE GNUHAIKU! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2272131)

Masterfull artwork
Ubertroll is like Van Gogh
Egg Troll must step off

RELEASES UNDER THE GNU PUBLIC LICENSE

Its true! I cannot lie! (-1)

egg troll (515396) | more than 12 years ago | (#2272138)

Actually that was my perspective of yourself, Ubertroll, after I pulled out of you. Remember, I was wearing the black leather Nazi uniform. I greased up my arm to the elbow and made you call me the Tower of Power all night! That was a good night, wasn't it?

Greased up your arm? (-1)

ubertroll (153053) | more than 12 years ago | (#2272141)

Since you never shower, it's quite greasy anyway.

Yep! (-1)

egg troll (515396) | more than 12 years ago | (#2272153)

True, my Italian heritage and lack of showering pretty much makes me greasy all over. But I save a fortune on the KY bill!!

Re:Yep! (-1)

ubertroll (153053) | more than 12 years ago | (#2272159)

But how do you get a grip on your minuscule dick for wanking then?

Re:Yep! (-1)

egg troll (515396) | more than 12 years ago | (#2272206)

I call your mom and she comes over.

Re:Yep! (-1)

ubertroll (153053) | more than 12 years ago | (#2272220)

Well, your mom [bodysnatchers.co.uk] wouldn't help much, would she?

Re:Yep! (-1)

egg troll (515396) | more than 12 years ago | (#2272223)

True, but at least she's not as hideos as Taco's mom. I can't even bring myself to post a picture of this hideous hag. Suffice to say that she's most frequently seen on Stileproject. Its kinda sad, really.

Re:But who is Egg Troll? (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#2272122)

I was described by this girl like this:

One night in a disco,

on the outskirts of Frisco,

I was cruisin with my favourite gang.

The place was so boring,

filled without a timeless touring,

I knew that it wasn't my thing.

I really wasn't caring,

but I felt my eyes staring,

at a guy who stuck out in the crowd.

He had the kind of body

that would shame madonnas

and a face that would make any man proud.

The champion of dance,

his moves will put you in a trance,

and he never leaves the disco alone.

And against my conceit,

as a man he's complete,

my creme de la creme please take me home.

first anti-buffalo post (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#2272128)

when will people learn?! the place is a fucking shithole. fucking nuke it already!

telnet (1, Insightful)

Anonymous Coward | more than 12 years ago | (#2272130)

it's about time we got rid of telnet and only allowed ssh. telnet needs to be phased out.

Re:telnet (1, Insightful)

Anonymous Coward | more than 12 years ago | (#2272166)

No, the telnet daemon needs to be phased out. Telnet itself is still excellent to use a debugging tool to create a raw connection to a TCP port.

Re:telnet (-1)

TRoLLHaXoR (206564) | more than 12 years ago | (#2272189)

because netcat isn't a better program for doing such things...

Re:telnet (0)

Anonymous Coward | more than 12 years ago | (#2272263)

Nope, it's not. Thank you, please try again.

Re:telnet (3, Insightful)

MavEtJu (241979) | more than 12 years ago | (#2272169)

telnet needs to be phased out.

Regarding the telnet-service, yes.
Regarding the telnet-protocol, no.
Regarding the telnet-program, no.

It's being used for more than port 23 only you know...

Edwin, can't live without small basic debugging tools.

Re:telnet-service (1, Informative)

Anonymous Coward | more than 12 years ago | (#2272317)

MavEtJu said:
"Regarding the telnet-service, yes."

Do you honestly think we are rid of 'dumb' wintel boxes that can only 'telnet'?

Any admin securing a secure box already knows not to run telnet, but for the other 99.999% of boxes out there, being able to access when stranded on crappy clients is important.

If your winbox can HTTP, it can SSH. (3, Informative)

yerricde (125198) | more than 12 years ago | (#2272337)

Do you honestly think we are rid of 'dumb' wintel boxes that can only 'telnet'?

Yes. If a Wintel box can HTTP, it can SSH. From Google.com, type in putty ssh and click "I'm Feeling Lucky" to be taken to PuTTY [greenend.org.uk], an X11-licensed SSH client for Win32. (If your firewall restricts HTTP and FTP downloads of binary programs, it probably also restricts outgoing telnet and ssh.)

Re:If your winbox can HTTP, it can SSH. (0)

Anonymous Coward | more than 12 years ago | (#2272678)

And the official secure shell client runs /very/ nicely on wintel too.

http://www.ssh.com/

(free for non-commercial use)

I'm not partisan about it.

WRONG: Telnet is for 'dumb' clients (1, Insightful)

Anonymous Coward | more than 12 years ago | (#2272264)

Such as when you are trapped at a client site and they have Wintel boxes and vt320s. If you can't telnet, you can't get to resources you might need.

Sometimes it is important to be able to get through to a less important server. Systems using ssh should perhaps WARN whenever a telnet login is sucessful (as a reminder to change passwords) but to say it should be phased out is very naieve, and absolutely WRONG.

Re:telnet (0)

Anonymous Coward | more than 12 years ago | (#2272338)

what part of "phase out" dont you understand? we need to phase it out... work to get rid of it. pressure winblows to include an ssh client. convince people that having telnet open on a machine is a bad idea. most people dont realize how wide open their information is when using telnet. certainly telnet needs to be used to some degree, but I was refering to port 23 telnet sessions.

Stephen King, author, dead at 54 (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2272146)


I just heard some sad news on talk radio - Horror/Sci Fi writer Stephen King was found dead in his Maine home this morning. There weren't any more details. I'm sure everyone in the Slashdot community will miss him - even if you didn't enjoy his work, there's no denying his contributions to popular culture. Truly an American icon.

This solution is too complex (1)

tsphere (93898) | more than 12 years ago | (#2272150)

There is a much easier way to use ssh-agent. Rather than starting the server from the first bash shell and then checking if it's running for every other shell, it's possible to simply say "ssh-agent [program]" and then that program and any of its children will know about the private key cache.

For example, on my system I added another login choice to KDM called "kde2-ssh". I created a corresponding shell script cleverly called "kde2-ssh" that contains only "exec ssh-agent /usr/X11R6/bin/kde2". You could use any window manager you like. (attention all sprockets: the "exec" is there so you don't waste a process)

After the window manager starts you simply run "ssh-add" once and every program started by X will know about ssh-agent. Pretty dope, huh?

Oh yeah, if you run ssh-add from a script (i.e. wherever there is no stdin) it will pop up a nice X dialog box for your password. Extra tasty crispy dope, i'd say. I put a call to ssh-add in my handy KDE "Autostart" folder so now i'm the envy of all my friends. yes, all two of them.

g'night kids!

Neat, but... (2, Informative)

robbyjo (315601) | more than 12 years ago | (#2272162)

Eventhough keychain will let you login to various hosts without passwords, I still prefer typing my password manually each time I log into those hosts. The main reason is that if there is a chance that somebody could access one of my accounts, he/she could easily log into my other accounts. At least typing each could provide some barrier.

Moreover, I could devise a "safer" plan by logging into one of the least important hosts using ssh, and then re-login to the real one that I'm going to work with. I dunno whether this provides a technically safer method, but I do feel a lot safer.

Re:Neat, but... (1)

MavEtJu (241979) | more than 12 years ago | (#2272196)

At least typing each could provide some barrier.

You don't want to know how many passwords I have guessed by just sitting next to somebody and looking with one eye to his keyboard :-)

I have one (1) computer with all my secret keys (one for private stuff, one for work, one for sourceforge). After login and before the starting of X I have to type three different and long keyphrases to add them to my ssh-agent. None of my remote accounts have passwords. Learning to lock your screen is a must :-)

Re:Neat, but... (5, Informative)

earlytime (15364) | more than 12 years ago | (#2272247)

Well, there's two sides to this.

The keychain folks have apparently taken the "rsh isn't so bad" approach. rsh and its counterparts are insecure for many reasons, only one of those is cleartext password authentication. Other reasons include unrestricted pre-authenticated per-user sessions (.rhosts files), and the ease with which someone can set up these sessions ( echo $myhostip >> /root/.rhosts ). It's extremely convenient though.

The other side is where you're coming from, that each and every session needs authentication. That's a fair stance, just inconvenient when you're making multiple connections.

I prefer an in-between approach. Start ssh-agent on login, and do the ssh-add manually. Then you can feel comfortable that someone must learn your RSA/DSA private key passphrase to use your credentials, and also that you have the convenience of not having to retype passwords, again and again, once you've authenticated once in that login session.

That's how the ssh folks designed the system to work, and I like that solution. You could also decrease your risk by requiring both RSA/DSA and passwords for authentication.

Using cfs with ssh keys and other secrets (3, Insightful)

ftobin (48814) | more than 12 years ago | (#2272175)

Personally, I like to use CFS, the Cryptographic File System, to store my filesystem-stored secrets. CFS works as an NFS loopback server, encrypting directories using a symmetric cipher.

When you 'cattach' (unlock) a CFS directory by entering the passphrase needed to decrypt the directory, you can then access the directory as normally as any other directory. The encryption/decryption is done on a need-to basis; sorta like PGPDisk for Windows, I imagine.

The reason I like to use CFS over thing such as ssh-agent is that has several features and advantages over ssh-agent:

  • One can set attached directories to detach after a set idletime or a fixed time. I find this very convienent, and an almost mandatory security measure. For example, I have my ssh keys set to detach after 20 minutes of non-use.

  • It is much easier and plain to use decrypted secrets in multiple concurrent sessions than ssh-agent. For example, a certain environment need not be mirrored across several xterms that are all accessing the secrets (e.g., I ssh from different xterm's).

    With ssh-agent, it can be cumbersome to keep this in-sync across multiple windows.

    Of course, it can help to start ssh-agent with the X session, but this is not always available; for example, I could have multiple console terminals open, all accessing my ssh keys. Or I could login multiple times to a box which has ssh keys on it remotely several times (open up several ssh connections); I want to be able to unlock the secrets in one session and have it apply to the others.

    Personally, I think CFS's approach to having secrets available across multiple concurrent sessions is a 'better' approach than some hacks that have been suggested.

  • CFS can much more easily be used to store other secrets, such as my GnuPG keys. It is a good general-purpose secret-storer.

Unfortunately, I can't find a good URL for CFS, so you'll have to do some searching on your own. It's in the FreeBSD ports collection, though.

Re:Using cfs with ssh keys and other secrets (3, Insightful)

Dwonis (52652) | more than 12 years ago | (#2272185)

Here's the problem with what you're doing: you can't do authentication forwarding, which sucks big-time when you are scping from one remote machine to another remote machine.

Re:Using cfs with ssh keys and other secrets (1)

ftobin (48814) | more than 12 years ago | (#2272201)

Here's the problem with what you're doing: you can't do authentication forwarding

Yes, I realize that is a limitation of what I'm doing. When I do need authentication forwarding I do use ssh-agent; it is definitely a useful tool. I just wish it wasn't so session-limited. Kerberos is able to handle being across session (although using a very weak mechanism, I admit).

Re:Using cfs with ssh keys and other secrets (1)

bloo9298 (258454) | more than 12 years ago | (#2272316)

Is this [zedz.net] the same CFS (by Matt Blaze)?

Does anyone know of a more recent version?

And how does it compare to TCFS [www.tcfs.it]?

Re:Using cfs with ssh keys and other secrets (2)

ftobin (48814) | more than 12 years ago | (#2272329)

Yes, it appears to be the CFS I'm talking about. The nice thing about CFS is that since it relies on NFS for its infrastructure, it is very portable, and resides entirely in user-land (with a root-running daemon).

TCFS is generally used to encrypt entire home directories, and but is generally Linux specific (kernel tie-ins). It is more advanced than CFS, though.

read.. important (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2272180)

Ralph JewHater Nader is a closet homosexual sand nigger who does not shower... thank you

I'd be lieing if I didn't say "most" sand niggers (like Ralph JewHater Nader) are psychotic terrorist fucks

Re:read.. important (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2272191)

Who are you people. Do you really believe what you say or are you just looking to get a rise? I hope your some angry little teenager who will eventually grow up, not some 30 something who fucked his life up (blames that on everyone but yourseld) and is living in your parents basement working as an assitant manager a McDonald's and who beats off to internet porn paid via your parents Credit card, cause you already maxed the one you got jointly with them.
Was that an acceptable rant?

Re:read.. important (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2272217)

way to feed the trolls, dumbass.

now join me in the fight to destroy buffalo! fucking shithole of a city!!

Re:read.. important (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2272286)

Yes, yes keep turning a blind eye to their ignorance and maybe it will go away... just like global warming.... besides maybe one of them will finally say, fuck what the hell am I doing with my life. Stranger shit has happened (i.e. the Montreal Canadians being bought by and american, who would've thunk it)

more Haiku, cause i have nothing better to do (-1)

GaylordFucker (465080) | more than 12 years ago | (#2272192)

Good old Larry Wall
Smart man for creating Perl
Just kidding use C

Re:more Haiku, cause i have nothing better to do (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2272245)

I suggest you Haiku fans express yourself with another form of Japanese poetry, the Tanka. At 5-7-5-7-7, there are simply more syllables at your disposal for even greater trolling pleasure.

ssh-agent startx (2, Interesting)

smcavoy (114157) | more than 12 years ago | (#2272202)

I use this with much sucess,
I must then run ssh-add for every key I want to use. doing that once a day (assuming your not in a hostile enviroment, and never lock the console...)
saves time. Is this a bad idea?????

more Haiku, nothing else to do (-1)

GaylordFucker (465080) | more than 12 years ago | (#2272203)

I love Microsoft
Bill Gates is such a smart man
Steve Ballmer is dork

Don't insult Steve Ballmer! (-1)

ubertroll (153053) | more than 12 years ago | (#2272211)

Nobody licks like Steve [spiegel.de].

Your comment violated the postercomment compression filter. Comment aborted

Security? (0)

Anonymous Coward | more than 12 years ago | (#2272252)

The author says: Also, gaining access to my private keys would require a user to actually log in as me, not just read files in my directory. So, abusing ssh-agent would be a much more difficult task than simply stealing an unencrypted private key, which only requires that an intruder somehow gain access to my files in ~/.ssh, whether logged in as me or not.

I haven't read keychain's source or anything, but I did read the article. It sounds to me like if an intruder could read your files then they could just source ~/.ssh-agent themselves without logging in.

Comments?

Wish list (3, Insightful)

XNormal (8617) | more than 12 years ago | (#2272276)

An ssh-agent which supports physical tokens like the Dallas semiconductors iButton [ibutton.com] (decoder rings are cool!)

Using ssh-agent to access cfs encrypted directories.

Using ssh-agent to unlock GnuPG keys.

All of the above, tunnelled through ssh-agent forwarding.

Using the same physical token to log in locally.

World peace.

Re:Wish list (1)

zur (37151) | more than 12 years ago | (#2272305)

Some decoder rings (the ones used by libow) are supported by keymgr [www.rcpt.to]. Another fine feature: when forwarding your authentication agent and a remote host asks for your key, a GTK-app pops up and asks whether to give it or not. Mostly agent-forwarding is done 'in the dark', and you have no idea when your agent gives out your key.

Re:Wish list (1)

dichro (49708) | more than 12 years ago | (#2272597)

Keymgr serves a particular role in a particular scenario. If you bounce around between multiple machines regularly, even if it's just with scp, agent forwarding is a beautiful thing. You can have key-only authentication throughout your network, and still minimize the exposure of the keys on disk.

Unfortunately, agent forwarding is also a can of worms. ssh-agent allows any hostile machine that you forward onto to use your keys to do arbitrary damage as long as you remain connected.

The first couple of good steps to take are mentioned above; interactive confirmation of forwarded authentication - which is possible with ssh - and using a physical token for added security.

I did once write a patch for gnupg to use keymgr for key management, but it was rather ugly and was treated to an (entirely deserved!) cold shoulder. It was very satisfying to sign and decrypt email with my Java ring, though :)

I've started working on libow again, and I'll probably move onto cleaning the rust off keymgr before my holidays are over - and maybe get around to writing that risk analysis/best common practice paper on ssh that I've been meaning to do since last century, instead of starting to braindump into a /. comment :P

ssh-keygen this you !@#$!@# (3, Interesting)

PatJensen (170806) | more than 12 years ago | (#2272304)

I read this article, it seems pretty cool to be able to store all your keys and access them using the ssh-agent, but I'm having a hard time just generating an RSA SSH2 key and having it work. Anyone mind helping me out? I've followed this process:

1. ssh-keygen -t rsa
2. typed in a 12 character password
3. copied the dsa_key.pub from my desktop and pasted it to ~/.ssh/authorized_keys2 on the server. 4. ssh -2 remotehost.

Then it asks for a password. I used ssh -v, which it said it was trying RSA but it failed. I'm running OpenSSH 2.9p2 on Mac OS X. Help me, I've read the man pages repeatedly but it's still all jibber-jabber!

-Pat

Re:ssh-keygen this you !@#$!@# (2, Insightful)

*nixie (264400) | more than 12 years ago | (#2272335)

Is the server running commercial SSH? If so, you'll need to convert the public key using ssh-keygen -e before putting it on the server. Also, the authorization file is a little different; it doesn't contain the key directly.

My ISP's server is running commercial SSH 3.something. I have an .ssh2 directory there, containing my (converted) public key and a file called "authorization" which points to it:

>cat authorization
Key id_dsa.pub

Hope that helps.

Re:ssh-keygen this you !@#$!@# (1)

mystik (38627) | more than 12 years ago | (#2272710)

if they're both openssh make sure the permissions are correct. authorized_keys and authorized_keys2 have to be 600, and id_rsa, id_dsa, & identity also need to be 600. This has drove me batty enough times to have this be the first thing I check ;)

Re:ssh-keygen this you !@#$!@# (3, Informative)

jovlinger (55075) | more than 12 years ago | (#2273293)

in addition to the conversion step, you have to use DSA keys.

Using OpenSSH on the client, and Commercial on the Server, I was eventually able to get automatic authentication to work using DSA keys. RSA using same procedure failed.

Oh, and unlike ssh1, I had to put the key in its own file and then add a reference to it in a second file. Rather cumbersome.

Re:ssh-keygen this you !@#$!@# (2, Informative)

CorwinOfAmber (39299) | more than 12 years ago | (#2273445)

1. ssh-keygen -t rsa
2. typed in a 12 character password
3. copied the dsa_key.pub from my desktop and pasted it to ~/.ssh/authorized_keys2 on the server.

Are you sure you copied the right key? You generated an RSA key, but you copied a file called dsa_key.pub. The default RSA key filename for openSSH is id_rsa.

Agent risks (5, Insightful)

Dr. Tom (23206) | more than 12 years ago | (#2272322)

Agent systems are interesting, and there is something to be said about the trend from simple server/client systems to server/agent/client systems. Agents can be very helpful in brokering transactions locally that involve sensitive information, or information that needs to be accessed repetitively.

However, agents can be complex to install and configure, and can potentially decrease security. The agent knows all your secrets, after all. Especially, using non-local agents is highly inadvisable.

It is also worth pointing out that agents can be used with password based systems as well. Unfortunately, SSH implementations are only using agents for key management. It is possible, and highly desirable when a chain of hosts is involved, for the remote side to contact your local agent to manage a remote passphrase-based authentication, using a protocol such as SRP that doesn't leak. An SRP agent would live on your desktop, present a familiar interface that is unambiguous, and provide secure authentications network wide, even chained. You never enter or store any security information on any host other than your own local client (this also solves all traffic analysis attacks based on password length).

A well designed agent needs to be a library, with pluggable user interfaces that are adapted for all the different GUI/CLI systems out there. Agent interfaces need to be familiar and distinct. There is a huge risk in communicating with an agent over a CLI, for example, when you can't distinguish the agent's prompts from the server's prompts. Ideally, agents should be started and configured automatically on the client machine by the client software. Sensitive information should time out.

You also don't want your agent to become a huge database of fluff with things like addresses and phone numbers. Use a database for that, and equip your database with an agent, and your agents with protocols that let them perform client/agent/agent/server transactions (with only LOCAL agents of course).

MS's Passport, for example, violates all these rules. It's non-local, it's full of tons of information that's irrelevent to most transactions, and the interface is variable and confusing.

It would be great if projects like OpenSSH develop (or use) full-blown agents and agent protocols that allowed these features. I for one would be interested in hearing about general purpose client/agent/server architectures and protocols that have already been developed for use in Free Software projects, and/or TLS-based protocols that use agents. Any ideas?

Re:Agent risks (0)

Anonymous Coward | more than 12 years ago | (#2272435)

Agent systems are interesting, [...] However, agents can be complex [...] The agent knows all your secrets, after all.
True.
  • using non-local agents is highly inadvisable.
  • agents can be used with password based systems as well.
  • using agents for key management.
  • An SRP agent would live on your desktop, present a familiar interface that is unambiguous,
  • A well designed agent needs to be a library, with pluggable user interfaces that are adapted for all the different GUI/CLI systems out there.
  • Agent interfaces need to be familiar and distinct.
  • Ideally, agents should be started and configured automatically
  • You also don't want your agent to become a huge database of fluff with things like addresses and phone numbers.
Great points. I'm forwarding this to the Wachowski brothers as suggestions for their upcoming Matrix 2 movie.

This guy is insane (1)

otomo_1001 (22925) | more than 12 years ago | (#2272376)

Ok, i've been reading thru all of his xml/xsl tutorials, and other things he's put on developerworks.

I have on question.

How the heck does this guy find the time for all of this??????

Not only to research and test, but to write a tutorial as well, he's insane. My hat (if I would ever wear one) goes off to him.

Resume your normal activities.

This isn't news! (1)

Sagarian (519668) | more than 12 years ago | (#2272383)

I've been managing my keys with a keychain for years! Of course if I leave my keychain accessible for a significant period of time, someone has access to all my resources (provided that they know where they are).

only one thing to say now that my secret is out : ssh... ssh...

Now if they would just invent a digital equivalent of my Homer Simpson key fob.

advice (0, Informative)

Anonymous Coward | more than 12 years ago | (#2272422)

I recommend using the new (currently in the late beta stages) ssh client NetRes SSHRes. You can find information about it here [netres.com]. This client uses public key cryptography with their new key hiding technology, that maintains your security even if the box youre sshing into has been compromised. You can even forward authentications and stay authenticated between sessions. SSHRes is available for NetBSD, OpenBSD, and Linux, with versions for Solaris, A/IX, Windows 2000, Mac OS X, and BeOS to be developed. The project is open source, and will be supported by selling documentation, tech support, and installation to corporations.

Moderate...[Re:advice] (1)

vs (21446) | more than 12 years ago | (#2273235)

Okay, who rated this stupid broken link "Informative"?

You, in the back row! Stand in the corner for 15 minutes!

Easier way? (2, Informative)

dirtyrat (249432) | more than 12 years ago | (#2272544)

Here's my .xsession. Works on Red Hat Linux, and needs ssh-askpass-gnome installed.

#!/bin/sh

if [ ! "$SSH_AGENT_PID" ]; then
exec ssh-agent $0
else
ssh-add
exec /etc/X11/xinit/Xclients
fi

pam_ssh.so (1)

vs (21446) | more than 12 years ago | (#2273015)

Everybody seems to be engaged in a shell-scripting d*ck-size contest.

The easiest solution for starting an ssh-agent is of course by using pam_ssh.so :-)

Obviously the pam config has to be installed by root, though.

Am I dense or... (0)

Anonymous Coward | more than 12 years ago | (#2273016)

is keychain a slightly more convoluted way of having an SSH RSA key with no passphrase?

an ssh session management alternative (1)

igen (520378) | more than 12 years ago | (#2273022)

I have recently purchased a memory key device (8M USB thingy-do which mounts as a scsi drive under Linux) and thought it would be neat to have some sort of system where by I could not get access to my box unless the key was there. So I dug around and found a pam module for BSD (if you have ssh under BSD you should have it) which uses ssh as the authentication method.

Additionally, there is session mamgement. So, a login to any entrance (vt, xdm, etc.) transparently spawns ssh-agent if necessary and adds keys. (My friend and I have been fooling around with making it work under Linux and it almost works perfectly).

Now I have a cute little paranoid system whereby login, gdm, xscreensaver, etc. are forced to auth through my 1024 bit password protected DSA key which lives only on my usb keychian. (pop out the key and xscreensaver locks immediately too).
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...