ssh-agent and ssh-add have a lifetime function. ssh-add has the -c/SSH_ASKPASS feature. This appears to be useful, but deviating from the usual user experience as per Mozilla's personal security module (PSM), password-protected screen-locks, etc. Therefore, I suggest to enhance ssh-agent such that there is a timeout option that defaults to e.g. 15 minutes. If no key has been used through ssh-agent the timeout period, ssh-agent is temporarily disabled. Re-enabling could be done by popping up a password panel asking for the password for i) the first identity that was added ii) the default identity iii) the identity of the identity about to be used next.
that's not too hard with the current code, and you could use the 'passwd' lock feature for something similar: specify timeout x and enter passwd on agent startup. after x seconds of activity the agent will 'autolock'. use ssh-add -X to unlock the agent.
Just trying to understand assuming a 15 minutes timeout: so as per http://bugzilla.mindrot.org/show_bug.cgi?id=481, I do i) setenv SSH_ASKPASS tbd ii) eval `ssh-agent -c -t 900` #I don't see a passwd option here? iii) ssh-add -x #now a password is set iv) ssh-add identity-files v) ssh-add -X #unlock - probably immediately or only after 15 minutes? Questions: 1) wouldn't step iii) lock immediately and not only after 15 minutes? 2) what do you recommend under cygwin/win2k for the SSH_ASKPASS?
skip (iii). agent should ask in step (ii) (v) after 15 minutes.
o.k., 1) So does this mean that the description of ssh-agent -t option could be amended as follows:<< With this option, a password will be asked at start-up. Once the lifetime is reached <em>ssh-add -X</em> allows you to run for another "lifetime" again.>> Patch http://bugzilla.mindrot.org/attachment.cgi?id=231&action=edit in http://bugzilla.mindrot.org/show_bug.cgi?id=481 2) I am using cygwin's openssh 3.5p1-3 and couldn't test it... rhauser@PC:/<3>rhauser/Desktop> eval `ssh-agent -c -t 900` ssh-agent: unknown option -- t Usage: ssh-agent [options] [command [args ...]] Options: -c Generate C-shell commands on stdout. -s Generate Bourne shell commands on stdout. -k Kill the current agent. -d Debug mode. -a socket Bind agent socket to given name. 3) Any recommendations on SSH_ASKPASS for win2k/cygwin?
> Any recommendations on SSH_ASKPASS for win2k/cygwin? Have you tried x11-ssh-askpass with XFree86 on cygwin? I've not received any feedback about whether it works there or not. http://www.pobox.com/~jmknoble/software/x11-ssh-askpass/
Thanks for the hint - I also found some source code in cygwin (http://cygwin.com/cgi-bin2/package-cat.cgi?file=openssh/openssh-3.5p1-3-src&grep=ssh-askpass), but no binary. Do you have a binary of it? So far, I hoped not to have to compile programs for cygwin myself. Further questions: 1) Is there no way to get a password into ssh-agent short of major environments such as X, Gtk, gnome and alike ? 2) anybody aware of a binary other than the japanese http://www.mail-archive.com/cygwin-xfree@cygwin.com/msg02925.html (--> http://www.ganaware.jp/S/win-ssh-askpass/)
> Do you have a binary of it? No, i don't; i don't have a Cygwin environment to build or test on. > 1) Is there no way to get a password into ssh-agent short of > major environments such as X, Gtk, gnome and alike ? Yes. x11-ssh-askpass uses a fairly simple "protocol" to get the passphrase to ssh-add. From the man page: If exactly one non-option argument is provided on the command line, it is displayed in the dialog instead of the default label. If the argument contains newline characters ('\n'), each line of text is displayed on a separate line in the dialog. ssh-add uses pipe(2)+fork(2)+dup(2)+exec(3) to run the ssh-askpass program with its standard output connected back to a file descriptor in ssh-add. When the passphrase is accepted (in the case of x11-ssh-askpass, when the 'OK' button is clicked, or when [Enter] is pressed), the passphrase is printed on on the standard output, followed by a newline ('\n'). If the passphrase dialog is cancelled, ssh-askpass prints nothing (not even a newline) and exits (thus closing stdout). I don't see why you couldn't write an ssh-askpass program that, for example, started in a command window under Win32. For that matter, it's probably not that difficult for an experienced Win32 programmer (which i am not) to write a Win32-native ssh-askpass.
BTW, the japanes binaries are here http://matsu-www.is.titech.ac.jp/~sohda/cygwin/dist/packages/win-ssh-askpass/ And as per http://bugzilla.mindrot.org/show_bug.cgi?id=496#c4, cygwin apparently doesn't offer the -t option yet (see http://sources.redhat.com/ml/cygwin/2003-02/msg01491.html).
Created attachment 266 [details] Readme.txt for the japanese win-ssh-agent.exe/win-ssh-askpass.exe proofread by Nayuta
Thanks to Corinna, I now can test it on the new cygwin version. Results: a) [ -S $SSH_AUTH_SOCK ] || eval `ssh-agent -t 900 -sa $SSH_AUTH_SOCK` doesn't ask for the lock password (as hinted in http://bugzilla.mindrot.org/show_bug.cgi?id=496#c3) what did I do wrong? b) If I manually add "ssh-add -x" I get asked for the lock password twice. This is unnecessary overhead - my screenlock also doesn't need to be configured manually each time I login. It should be possible to take a default password (e.g. the same one as the default identity .ssh/id_rsa has.) c) after the time-out, instead of trying to unlock by issuing "ssh-add -X" itself, the next ssh command will just no longer use my authorized_keys, but degrade the security level and ask for my server-side password d) the lock appears to take place after "elapsed seconds". It would be great if it also could be configured to only consider "idle seconds".
PuTTY's pageant.exe eventually will address this too http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/pageant-key-mgmt.html
*** This bug has been marked as a duplicate of bug 437 ***
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.