I would like ssh to have the command line option of supplying the passphrase.
This would make it possible to do attendant free scp transfers from PHP, for
example. As it is, it is impossible to use a web script to initiate an scp xfer
if an encrypted private key is used.
I realize that stupid people could make shell scripts or web scripts then with
the pass phrase in them, but those same stupid people are just as likely to walk
out in front of cars. The preferred method is to supply the passphrase through
an ssl connected web page/script for a one time use.
without the ability to do attendant free scp transfers using pass phrased
private keys, the only remote to remote transfers that can be initiated by a web
script is via ssl, and that costs money for a certificate that most host's
will
accept.
schematic of intended usage.
Me with SSL browser<----->My company website<------->client website
to be
with PHP CASE TOOL edited with PHP
CASE TOOL
Dennis Gearon writes: > I would like ssh to have the command line option of supplying the passphrase. > This would make it possible to do attendant free scp transfers from PHP, for > example. As it is, it is impossible to use a web script to initiate an scp xfer > if an encrypted private key is used. > > I realize that stupid people could make shell scripts or web scripts then with > the pass phrase in them, but those same stupid people are just as likely to walk > out in front of cars. The preferred method is to supply the passphrase through > an ssl connected web page/script for a one time use. > > without the ability to do attendant free scp transfers using pass phrased > private keys, the only remote to remote transfers that can be initiated by a web > script is via ssl, and that costs money for a certificate that most host's will > accept. Why not just set up ssh-agent and add your intended key with ssh-add? Then you can do password-free logins with subsequent invocations of ssh or scp. That's probably not the only way you can get what you want with the existing OpenSSH functionality.
Dennis Gearon writes: >I would like ssh to have the command line option of supplying the passphrase. Speaking only for myself: if I were ever to see this option implemented, it would make me wonder what _other_ mind-bogglingly stupid code was in the package, and destroy any shred of confidence in openssh as a whole. Why don't you just set up a passphrase-less key? % ssh-keygen -f ~/.ssh/id_wide_open ...then copy the public part to authorized_keys* on the remote machine (and, if you're wise, set up "from=xxxx" therein). ^E -- Ed Santiago Toolsmith santiago at ascend.com
very dangerous.
ps auxww | grep ssh
will tell you why programs generally do not allow passwords to be put via
the commandline.
-rchit
-----Original Message-----
From: Dennis Gearon [mailto:gearond at oit.edu]
Sent: Thursday, July 26, 2001 11:40 AM
To: openssh-unix-dev at mindrot.org
Subject: comment on another command line option
I would like ssh to have the command line option of supplying the
passphrase.
This would make it possible to do attendant free scp transfers from PHP, for
example. As it is, it is impossible to use a web script to initiate an scp
xfer
if an encrypted private key is used.
I realize that stupid people could make shell scripts or web scripts then
with
the pass phrase in them, but those same stupid people are just as likely to
walk
out in front of cars. The preferred method is to supply the passphrase
through
an ssl connected web page/script for a one time use.
without the ability to do attendant free scp transfers using pass phrased
private keys, the only remote to remote transfers that can be initiated by a
web
script is via ssl, and that costs money for a certificate that most host's
will
accept.
schematic of intended usage.
Me with SSL browser<----->My company website<------->client website
to be
with PHP CASE TOOL edited with PHP
CASE TOOL
> > A good alternative option is to do that gpg already does and have an > option to specify a fd on which a passphrase is passed in. >Yes, or perhaps even having it just come from stdin. Onetime I was working on a program that various things at an elevated privledge for a web application. I set it up to take its arguments via standard input. In this particular case I choose to format the input simular to CGI-BIN parameters, mainly because that was where my head was, but the main point is I could easily start up the program in perl with a write pipe, and pass the parameters without them showing up in the process table....james
Previously Ed Santiago wrote:> Speaking only for myself: if I were ever to see this option > implemented, it would make me wonder what _other_ mind-bogglingly > stupid code was in the package, and destroy any shred of > confidence in openssh as a whole.A good alternative option is to do that gpg already does and have an option to specify a fd on which a passphrase is passed in. Wichert. -- _________________________________________________________________ / Nothing is fool-proof to a sufficiently talented fool \ | wichert at cistron.nl http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
>Previously Ed Santiago wrote: >> Speaking only for myself: if I were ever to see this option >> implemented, it would make me wonder what _other_ mind-bogglingly >> stupid code was in the package, and destroy any shred of >> confidence in openssh as a whole. > >A good alternative option is to do that gpg already does and have an >option to specify a fd on which a passphrase is passed in.OpenSSH has another alternative, SSH_ASKPASS. -- Darren J Moffat
you can use SSH_ASKPASS On Thu, Jul 26, 2001 at 11:40:18AM -0700, Dennis Gearon wrote:> I would like ssh to have the command line option of supplying the passphrase. > This would make it possible to do attendant free scp transfers from PHP, for > example. As it is, it is impossible to use a web script to initiate an scp xfer > if an encrypted private key is used. > > I realize that stupid people could make shell scripts or web scripts then with > the pass phrase in them, but those same stupid people are just as likely to walk > out in front of cars. The preferred method is to supply the passphrase through > an ssl connected web page/script for a one time use. > > without the ability to do attendant free scp transfers using pass phrased > private keys, the only remote to remote transfers that can be initiated by a web > script is via ssl, and that costs money for a certificate that most host's will > accept. > > schematic of intended usage. > > Me with SSL browser<----->My company website<------->client website to be > with PHP CASE TOOL edited with PHP > CASE TOOL