aboutsummaryrefslogtreecommitdiff
path: root/doc/design/assistant/sshpassword.mdwn
blob: 6e6526063b9e22a661e5bb6ec2f3274f4d9c3473 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

Currently the assistant sets up dedicated ssh keys, that can just use
git-annex. This is ok. The problem is that the initial 2 connections to the
ssh server when setting up these keys involve a password prompt, which is
done at the console unless the system happens to have a working ssh agent
that can pop up a dialog. That can be confusing.

It would be nice to have the webapp prompt for the password. Can it be done
securely?

This might come down to a simple change to the webapp to prompt for the
password, and then rather a lot of pain to make the webapp use HTTPS so we
can be pretty sure noone is sniffing the (localhost) connection.

## ssh-askpass approach

* If ssh-askpass is in PATH, do nothing. (Unless webapp is run remotely.)
* Otherwise, have the assistant set `SSH_ASKPASS` to a command that will
  cause the webapp to read the password and forward it on. Also, set
  DISPLAY to ensure that ssh runs the program.

Looking at ssh.exe, I think this will even work on windows; it contains the
code to run ssh-askpass.

### securely handling the password

* Maybe force upgrade webapp to https? Locally, the risk would be that
  root could tcpdump and read password, so not large risk. If webapp
  is used remotely, require https.
* Use hs-securemem to store password.
* Avoid storing password for long. Erase it after webapp setup of remote
  is complete. Time out after 10 minutes and erase it.
* Prompt using a field name that does not trigger web browser password
  saving.

### ssh-askpass shim, and password forwarding

`SSH_ASKPASS` needs to be set to a program (probably git-annex)
which gets the password from the webapp, and outputs it to stdout.

Seems to call for the webapp and program to communicate over a local
socket (locked down so only user can access) or environment.
Environment is not as secure (easily snooped by root).
Local socket probably won't work on Windows.

Note that the webapp can probe to see if ssh needs a password, and can
prompt the user for it before running ssh and the ssh-askpass shim.
This avoids some complexity, and perhaps some attack vectors,
if the shim cannot requst an arbitrary password prompt.
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-01 05:40:17 +0000