n3rd at Safe-mail.net
2012-Aug-31 12:40 UTC
How to detect if key ssh-add'ed with '-c' or without?
Hi all. Some background: I'm using my own wrapper script for ssh that deals with multitude of IP addresses, user accounts, keys and other ssh parameters for bunch of managed hosts. On X session start i (actually, my script) load all my private keys with 'ssh-add -c', to get confirmation on every key usage. This works bad with autossh, so i would like to add some logic: if I specify to run autossh with some host/user/key, the scipt will reload the private key without -c option (asking me for password). And maybe at the end of autossh session, reload the key back with 'ssh-add -c'. So, how can i detect if key loaded with -c option or without? 'ssh-add -l' lacks such information. My last guess is such: before actually start autossh it's possible to set some small script at SSH_ASKPASS, try to use the key, and if that script is launched, it means i need to reload the key without '-c'. Ugly. PS: BTW there is also no way to get key expiration time (if set with 'ssh-add -t').
On Fri, 31 Aug 2012, n3rd at Safe-mail.net wrote:> Hi all. Some background: I'm using my own wrapper script for ssh that > deals with multitude of IP addresses, user accounts, keys and other > ssh parameters for bunch of managed hosts. > > On X session start i (actually, my script) load all my private keys > with 'ssh-add -c', to get confirmation on every key usage. > > This works bad with autossh, so i would like to add some logic: if I > specify to run autossh with some host/user/key, the scipt will reload > the private key without -c option (asking me for password). And maybe > at the end of autossh session, reload the key back with 'ssh-add -c'. > > So, how can i detect if key loaded with -c option or without?You can't, and you won't without a protocol extension to ssh-agent. At the moment the key query message and responses don't have fields to indicate whether any constraints were set. See PROTOCOL.agent in the OpenSSH source for details. It probably wouldn't be something that one would want to advertise to an attacker anyway, as stumbing over keys that require confirmation is the sort of thing that gives them away...> My last guess is such: before actually start autossh it's possible to > set some small script at SSH_ASKPASS, try to use the key, and if that > script is launched, it means i need to reload the key without '-c'. > Ugly.Worse, it won't work - SSH_ASKPASS needs to be set for ssh-agent, not ssh-add. So you can't reset it easily like this.> PS: BTW there is also no way to get key expiration time (if set > with 'ssh-add -t').Same problem - expiration times are key constrains like confirm-required. -d
n3rd at Safe-mail.net
2012-Aug-31 13:18 UTC
How to detect if key ssh-add'ed with '-c' or without?
Damien, thank you for fast response! Ok, i will just keep list of keys loaded with '-c' in some /tmp/file, and will correct it in process. -------- Original Message -------- From: Damien Miller <djm at mindrot.org> To: n3rd at Safe-mail.net Cc: openssh-unix-dev at mindrot.org Subject: Re: How to detect if key ssh-add'ed with '-c' or without? Date: Fri, 31 Aug 2012 22:49:32 +1000 (EST)> On Fri, 31 Aug 2012, n3rd at Safe-mail.net wrote: > > > Hi all. Some background: I'm using my own wrapper script for ssh that > > deals with multitude of IP addresses, user accounts, keys and other > > ssh parameters for bunch of managed hosts. > > > > On X session start i (actually, my script) load all my private keys > > with 'ssh-add -c', to get confirmation on every key usage. > > > > This works bad with autossh, so i would like to add some logic: if I > > specify to run autossh with some host/user/key, the scipt will reload > > the private key without -c option (asking me for password). And maybe > > at the end of autossh session, reload the key back with 'ssh-add -c'. > > > > So, how can i detect if key loaded with -c option or without? > > You can't, and you won't without a protocol extension to ssh-agent. > At the moment the key query message and responses don't have fields > to indicate whether any constraints were set. See PROTOCOL.agent > in the OpenSSH source for details. > > It probably wouldn't be something that one would want to advertise to > an attacker anyway, as stumbing over keys that require confirmation > is the sort of thing that gives them away... > > > My last guess is such: before actually start autossh it's possible to > > set some small script at SSH_ASKPASS, try to use the key, and if that > > script is launched, it means i need to reload the key without '-c'. > > Ugly. > > Worse, it won't work - SSH_ASKPASS needs to be set for ssh-agent, not > ssh-add. So you can't reset it easily like this. > > > PS: BTW there is also no way to get key expiration time (if set > > with 'ssh-add -t'). > > Same problem - expiration times are key constrains like confirm-required. > > -d