summaryrefslogtreecommitdiff
path: root/doc/design/assistant
diff options
context:
space:
mode:
authorGravatar Joey Hess <joey@kitenet.net>2014-04-25 16:28:58 -0400
committerGravatar Joey Hess <joey@kitenet.net>2014-04-25 16:28:58 -0400
commit059fd34965ed23d0efe5cc2713e23c3be77501ae (patch)
tree4e3dbfcf08eb97ef059c22e859530e68e3516a43 /doc/design/assistant
parent9c3c02ddb3b3d8ef9731b8cf080da159f7320a79 (diff)
design
Diffstat (limited to 'doc/design/assistant')
-rw-r--r--doc/design/assistant/sshpassword.mdwn36
1 files changed, 36 insertions, 0 deletions
diff --git a/doc/design/assistant/sshpassword.mdwn b/doc/design/assistant/sshpassword.mdwn
index e38769867..6e6526063 100644
--- a/doc/design/assistant/sshpassword.mdwn
+++ b/doc/design/assistant/sshpassword.mdwn
@@ -10,3 +10,39 @@ securely?
This might come down to a simple change to the webapp to prompt for the
password, and then rather a lot of pain to make the webapp use HTTPS so we
can be pretty sure noone is sniffing the (localhost) connection.
+
+## ssh-askpass approach
+
+* If ssh-askpass is in PATH, do nothing. (Unless webapp is run remotely.)
+* Otherwise, have the assistant set `SSH_ASKPASS` to a command that will
+ cause the webapp to read the password and forward it on. Also, set
+ DISPLAY to ensure that ssh runs the program.
+
+Looking at ssh.exe, I think this will even work on windows; it contains the
+code to run ssh-askpass.
+
+### securely handling the password
+
+* Maybe force upgrade webapp to https? Locally, the risk would be that
+ root could tcpdump and read password, so not large risk. If webapp
+ is used remotely, require https.
+* Use hs-securemem to store password.
+* Avoid storing password for long. Erase it after webapp setup of remote
+ is complete. Time out after 10 minutes and erase it.
+* Prompt using a field name that does not trigger web browser password
+ saving.
+
+### ssh-askpass shim, and password forwarding
+
+`SSH_ASKPASS` needs to be set to a program (probably git-annex)
+which gets the password from the webapp, and outputs it to stdout.
+
+Seems to call for the webapp and program to communicate over a local
+socket (locked down so only user can access) or environment.
+Environment is not as secure (easily snooped by root).
+Local socket probably won't work on Windows.
+
+Note that the webapp can probe to see if ssh needs a password, and can
+prompt the user for it before running ssh and the ssh-askpass shim.
+This avoids some complexity, and perhaps some attack vectors,
+if the shim cannot requst an arbitrary password prompt.