diff options
| author |  Joey Hess <joey@kitenet.net> | 2014-04-25 16:28:58 -0400 |
|---|---|---|
| committer | Joey Hess <joey@kitenet.net> | 2014-04-25 16:28:58 -0400 |
| commit | 059fd34965ed23d0efe5cc2713e23c3be77501ae (patch) | |
| tree | 4e3dbfcf08eb97ef059c22e859530e68e3516a43 /doc/design/assistant/sshpassword.mdwn | |
| parent | 9c3c02ddb3b3d8ef9731b8cf080da159f7320a79 (diff) | |
design
Diffstat (limited to 'doc/design/assistant/sshpassword.mdwn')
| -rw-r--r-- | doc/design/assistant/sshpassword.mdwn | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/doc/design/assistant/sshpassword.mdwn b/doc/design/assistant/sshpassword.mdwn index e38769867..6e6526063 100644 --- a/doc/design/assistant/sshpassword.mdwn +++ b/doc/design/assistant/sshpassword.mdwn @@ -10,3 +10,39 @@ securely? This might come down to a simple change to the webapp to prompt for the password, and then rather a lot of pain to make the webapp use HTTPS so we can be pretty sure noone is sniffing the (localhost) connection. + +## ssh-askpass approach + +* If ssh-askpass is in PATH, do nothing. (Unless webapp is run remotely.) +* Otherwise, have the assistant set `SSH_ASKPASS` to a command that will + cause the webapp to read the password and forward it on. Also, set + DISPLAY to ensure that ssh runs the program. + +Looking at ssh.exe, I think this will even work on windows; it contains the +code to run ssh-askpass. + +### securely handling the password + +* Maybe force upgrade webapp to https? Locally, the risk would be that + root could tcpdump and read password, so not large risk. If webapp + is used remotely, require https. +* Use hs-securemem to store password. +* Avoid storing password for long. Erase it after webapp setup of remote + is complete. Time out after 10 minutes and erase it. +* Prompt using a field name that does not trigger web browser password + saving. + +### ssh-askpass shim, and password forwarding + +`SSH_ASKPASS` needs to be set to a program (probably git-annex) +which gets the password from the webapp, and outputs it to stdout. + +Seems to call for the webapp and program to communicate over a local +socket (locked down so only user can access) or environment. +Environment is not as secure (easily snooped by root). +Local socket probably won't work on Windows. + +Note that the webapp can probe to see if ssh needs a password, and can +prompt the user for it before running ssh and the ssh-askpass shim. +This avoids some complexity, and perhaps some attack vectors, +if the shim cannot requst an arbitrary password prompt. |