Re: cygwin OpenSSH ssh-agent on Win2000

[Egor Duda <deo@logos-m.ru>]

Hi!

you can use the following trick:

set SSH_AUTH_SOCK=/tmp/ssh-%USERNAME%/current-agent-socket

in your global windows enwironment and run this script at startup

-------------------snip--------------------
#!/bin/sh

echo $SSH_AUTH_SOCK

global_ssh_auth_sock=$SSH_AUTH_SOCK

wkill ssh-agent1.exe
rm -f /tmp/ssh-$USERNAME/current-agent-socket
rm -f /tmp/ssh-$USERNAME/agent-socket-*
eval `ssh-agent1.exe -s`
ln -s $SSH_AUTH_SOCK /tmp/ssh-$USERNAME/current-agent-socket

export SSH_AUTH_SOCK=$global_ssh_auth_sock

-------------------snip--------------------

however,  note  that  cygwin's  unix domain sockets are _FUNDAMENTALLY
INSECURE_  and  so  i  strongly  _DISCOURAGE_ usage of ssh-agent under
cygwin.

when  you  run  ssh-agent  under  cygwin  it creates AF_UNIX socket in
/tmp/ssh-$USERNAME/  directory.  under  cygwin  AF_UNIX  sockets  are
emulated  via  AF_INET sockets. you can easily see that if you'll look
into  /tmp/ssh-$USERNAME/agent-socket-*  file  via notepad. you'll see
the something like

!<socket >2080

then run "netstat -a" and surprise! you have some program listening to
port  2080.  it's  ssh-agent.  when  ssh  receives  RSA challenge from
server,  it  refers to corresponding /tmp/ssh-$USERNAME/agent-socket-*
(under  cygwin,  in  our  case,  that  means  it'll open connection to
localhost:2080)  and  asks  ssh-agent  to  process  RSA challenge with
private  key  it has, and then it simply passes response received from
ssh-agent to server.

under  unix, such scenario works without problems, because unix kernel
checks  permissions  when  program tries to access AF_UNIX socket. For
AF_INET    sockets,   however,   connections   are   anonymous  (read
"insecure").   Imagine,  that  you  have  cygwin  ssh-agent  running.
malicious  hacker  may  portscan  your  box,  locate open port used by
ssh-agent,  open  connection to your ssh server, receive RSA challenge
from it, send it to your ssh-agent via open port he found, receive RSA
response,  send  it to ssh server and voila, he successfully logged in
to your server as you.

To  Corinna: should cygwin's openssh port contain ssh-agent at all? or
perhaps it should issue some warning?

>> Does anyone know how to start the explorer.exe process from ssh-agent when
>> you log into an NT/2000 system?
>> 
>> I'm trying to do the same as "ssh-agent /etc/X11/xinit/xclients" to make the
>> ssh agent available to all programs through the environment variables.
>> 
>> >From within a cygwin bash shell I can do "exec ssh-agent bash" (followed by
>> ssh-add) and have everything work from that shell, but of course the
>> variables don't exist in any other shells.
>> 
>> It would seem like having ssh-agent launch explorer when you log in would
>> work, but I don't know what to tweak where in the registry.

Egor.            mailto:deo@logos-m.ru ICQ 5165414 FidoNet 2:5020/496.19



--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple