summaryrefslogtreecommitdiff
path: root/doc/design/assistant/sshpassword.mdwn
diff options
context:
space:
mode:
Diffstat (limited to 'doc/design/assistant/sshpassword.mdwn')
-rw-r--r--doc/design/assistant/sshpassword.mdwn37
1 files changed, 37 insertions, 0 deletions
diff --git a/doc/design/assistant/sshpassword.mdwn b/doc/design/assistant/sshpassword.mdwn
index e38769867..0113144c5 100644
--- a/doc/design/assistant/sshpassword.mdwn
+++ b/doc/design/assistant/sshpassword.mdwn
@@ -10,3 +10,40 @@ securely?
This might come down to a simple change to the webapp to prompt for the
password, and then rather a lot of pain to make the webapp use HTTPS so we
can be pretty sure noone is sniffing the (localhost) connection.
+
+## ssh-askpass approach
+
+* If ssh-askpass is in PATH, or `SSH_ASKPASS` is set, do nothing.
+ (Unless webapp is run remotely.)
+* Otherwise, have the assistant set `SSH_ASKPASS` to a command that will
+ cause the webapp to read the password and forward it on. Also, set
+ DISPLAY to ensure that ssh runs the program.
+
+Looking at ssh.exe, I think this will even work on windows; it contains the
+code to run ssh-askpass.
+
+### securely handling the password
+
+* Maybe force upgrade webapp to https? Locally, the risk would be that
+ root could tcpdump and read password, so not large risk. If webapp
+ is being accessed remotely, absolutely: require https.
+* Use hs-securemem to store password.
+* Avoid storing password for long. Erase it after webapp setup of remote
+ is complete. Time out after 10 minutes and erase it.
+* Prompt using a html field name that does not trigger web browser password
+ saving if possible.
+
+### ssh-askpass shim, and password forwarding
+
+`SSH_ASKPASS` needs to be set to a program (probably git-annex)
+which gets the password from the webapp, and outputs it to stdout.
+
+Seems to call for the webapp and program to communicate over a local
+socket (locked down so only user can access) or environment.
+Environment is not as secure (easily snooped by root).
+Local socket probably won't work on Windows. Could just use a temp file.
+
+Note that the webapp can probe to see if ssh needs a password, and can
+prompt the user for it before running ssh and the ssh-askpass shim.
+This avoids some complexity, and perhaps some attack vectors,
+if the shim cannot requst an arbitrary password prompt.