openssh unix dev - Nov 2006 - Pawel Krupinski's ssh-decrypt ssh-encrypt proposal

This sounded extremely interesting to me.

one suggestion I would have is to use uuencoding first on encryption
and uudecode on decryption to take care of the problem you mentioned
"Of course RSA puts limits on the data that
can be encrypted" that should take care of that.

I was looking for a way of using ssh-agent to be used to allow certain
applications to get passwords.
Example:
I use wpa_supplicant to connect to my wireless network. I would like a
way of not leaving the password in the file unencrypted. If there was
a way to have it ask ssh-agent for the private key to unencrypt the
password to send it then I could have just the password for my private
key to type in.

On Wed, Nov 22, 2006 at 01:25:53PM -0700, Jeff Sadowski
wrote:
> This sounded extremely interesting to me.
http://www.gentoo.org/proj/en/keychain/ may also be interesting.

As for ssh-agent, I'm not sure I want it to do any tricks. I trust it
with my keys so I want it to be REALLY simple.


//Peter

Hi Peter,
> http://www.gentoo.org/proj/en/keychain/ may also be
interesting.

It is interesting and actually it is something I have
in my mind as a backup solution... 

In my case: we are using OpenSSH, so we have
infrastructure to support OpenSSH based solution. With
gpg we would have to create a new infrastrcuture from
scratch and the purpose of this infrastructure would
be exactly the same - cryptographic solution capable
to perform private/public key operations; therefore we
think it is just better for us to stick to OpenSSH -
we like to keep things simple.

If I fail to convince you, we either:
1. Support this solution internally (hopefully you are
not changing ssh-agent interface too often ;-)));
2. We will look into alternative solutions, such as
gpg based.

One question regarding keychain. Quoting the keychain
page: "It acts as a front-end to ssh-agent". Do you
guys work with them to make sure that patches/changes
to the API don't affect their solution? This is the
only thing that puts us off from the internal support,
so wondering how others handling it. 
> As for ssh-agent, I'm not sure I want it to do any 
> tricks. I trust it
> with my keys so I want it to be REALLY simple.
Well, not sure if I called it a trick - "give
passphrase once, use private key multiple times" is
what ssh-agent is for ;-)))
Currently there is another tool ssh-sign and using the
configuration file you can turn it on and off. The
same can be applied to ssh-{en|de}crypt.
If this change would require changes to API etc, I
wouldn't have put forward this solution, but as these
changes seems pretty easy, I think it is worth it.

Cheers,
- pak76



It seems there were some maintenance things going on
yesterday with the server, so I will repost my
yesterday's e-mail:

Hi,

Not sure if you had time to go through the code.
Changes I did to OpenSSH are rather limited - OpenSSH
is written in such a way that I didn't have to change
communication channel between applications and
ssh-agent. Implementation of the ssh-decrypt was as
easy as establishing a new message, search the keys
and decrypting using the private key.

As I said it was just a very quick PoC, but if it is
of interest to OpenSSH, I can develop it correctly
over the next few days and have it up and ready on
Monday.

One question regarding the interface. As ssh-agent can
have multiple keys, what would be the best way to
determine which one to use ? Sending the public part?
Currently I'm trying out all keys and it is not the
best possible option...

Thanks,
pak76


Send instant messages to your online friends http://uk.messenger.yahoo.com