From: Egor Duda <deo@logos-m.ru>
To: "David O'Shea" <david@ems.uq.edu.au>
Cc: David Peterson <david.peterson@mail.idrive.com>, cygwin@cygwin.com
Subject: Re: cygwin OpenSSH ssh-agent on Win2000
Date: Fri, 22 Dec 2000 01:31:00 -0000 [thread overview]
Message-ID: <124160032744.20001222122818@logos-m.ru> (raw)
In-Reply-To: <Pine.LNX.4.10.10012221811150.511-100000@asyoulikeit.ems.uq.edu.au>
Hi!
you can use the following trick:
set SSH_AUTH_SOCK=/tmp/ssh-%USERNAME%/current-agent-socket
in your global windows enwironment and run this script at startup
-------------------snip--------------------
#!/bin/sh
echo $SSH_AUTH_SOCK
global_ssh_auth_sock=$SSH_AUTH_SOCK
wkill ssh-agent1.exe
rm -f /tmp/ssh-$USERNAME/current-agent-socket
rm -f /tmp/ssh-$USERNAME/agent-socket-*
eval `ssh-agent1.exe -s`
ln -s $SSH_AUTH_SOCK /tmp/ssh-$USERNAME/current-agent-socket
export SSH_AUTH_SOCK=$global_ssh_auth_sock
-------------------snip--------------------
however, note that cygwin's unix domain sockets are _FUNDAMENTALLY
INSECURE_ and so i strongly _DISCOURAGE_ usage of ssh-agent under
cygwin.
when you run ssh-agent under cygwin it creates AF_UNIX socket in
/tmp/ssh-$USERNAME/ directory. under cygwin AF_UNIX sockets are
emulated via AF_INET sockets. you can easily see that if you'll look
into /tmp/ssh-$USERNAME/agent-socket-* file via notepad. you'll see
the something like
!<socket >2080
then run "netstat -a" and surprise! you have some program listening to
port 2080. it's ssh-agent. when ssh receives RSA challenge from
server, it refers to corresponding /tmp/ssh-$USERNAME/agent-socket-*
(under cygwin, in our case, that means it'll open connection to
localhost:2080) and asks ssh-agent to process RSA challenge with
private key it has, and then it simply passes response received from
ssh-agent to server.
under unix, such scenario works without problems, because unix kernel
checks permissions when program tries to access AF_UNIX socket. For
AF_INET sockets, however, connections are anonymous (read
"insecure"). Imagine, that you have cygwin ssh-agent running.
malicious hacker may portscan your box, locate open port used by
ssh-agent, open connection to your ssh server, receive RSA challenge
from it, send it to your ssh-agent via open port he found, receive RSA
response, send it to ssh server and voila, he successfully logged in
to your server as you.
To Corinna: should cygwin's openssh port contain ssh-agent at all? or
perhaps it should issue some warning?
>> Does anyone know how to start the explorer.exe process from ssh-agent when
>> you log into an NT/2000 system?
>>
>> I'm trying to do the same as "ssh-agent /etc/X11/xinit/xclients" to make the
>> ssh agent available to all programs through the environment variables.
>>
>> >From within a cygwin bash shell I can do "exec ssh-agent bash" (followed by
>> ssh-add) and have everything work from that shell, but of course the
>> variables don't exist in any other shells.
>>
>> It would seem like having ssh-agent launch explorer when you log in would
>> work, but I don't know what to tweak where in the registry.
Egor. mailto:deo@logos-m.ru ICQ 5165414 FidoNet 2:5020/496.19
--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2000-12-22 1:31 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2000-12-21 18:39 David Peterson
2000-12-21 22:52 ` Richard Y. Kim
2000-12-22 0:36 ` David O'Shea
2000-12-22 1:31 ` Egor Duda [this message]
2001-01-02 18:15 David Peterson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=124160032744.20001222122818@logos-m.ru \
--to=deo@logos-m.ru \
--cc=cygwin@cygwin.com \
--cc=david.peterson@mail.idrive.com \
--cc=david@ems.uq.edu.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).