cygwin OpenSSH ssh-agent on Win2000

cygwin OpenSSH ssh-agent on Win2000

[David Peterson]

Hello,

Does anyone know how to start the explorer.exe process from ssh-agent when
you log into an NT/2000 system?

I'm trying to do the same as "ssh-agent /etc/X11/xinit/xclients" to make the
ssh agent available to all programs through the environment variables.

From within a cygwin bash shell I can do "exec ssh-agent bash" (followed by
ssh-add) and have everything work from that shell, but of course the
variables don't exist in any other shells.

It would seem like having ssh-agent launch explorer when you log in would
work, but I don't know what to tweak where in the registry.

Thanks,
-dave.



--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple

cygwin OpenSSH ssh-agent on Win2000

[Richard Y. Kim]

See 

    http://sources.redhat.com/ml/cygwin/2000-08/msg00834.html

which suggested the use of setx.exe utility from the w2k
resource kit.  setx.exe allows you the set an environment
variable for the whole operating system rather than just the
particular shell that you are using.

I wrote the following bash script which I've been using a
few month:

eval `ssh-agent -s`

if [ "$OSTYPE" = "cygwin" ]; then
  setx SSH_AUTH_SOCK $SSH_AUTH_SOCK -m
  setx SSH_AGENT_PID $SSH_AGENT_PID -m
fi


>>>>> "DP" == David Peterson <david.peterson@mail.idrive.com> writes:

    DP> Hello,
    DP> Does anyone know how to start the explorer.exe process from ssh-agent when
    DP> you log into an NT/2000 system?

    DP> I'm trying to do the same as "ssh-agent /etc/X11/xinit/xclients" to make the
    DP> ssh agent available to all programs through the environment variables.

    >> From within a cygwin bash shell I can do "exec ssh-agent bash" (followed by
    DP> ssh-add) and have everything work from that shell, but of course the
    DP> variables don't exist in any other shells.

    DP> It would seem like having ssh-agent launch explorer when you log in would
    DP> work, but I don't know what to tweak where in the registry.

    DP> Thanks,
    DP> -dave.



--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple

Re: cygwin OpenSSH ssh-agent on Win2000

[David O'Shea]

Dear David,
	I haven't tried to do what you're doing, but possibly what I've
done will be of use to you.  I wanted a script to start explorer.exe on a
Windows 95 machine.  Here's what I did:

1. edit system.ini, and change the shell= line under the [boot] section.
This will probably be "explorer.exe".  You could set this to whatever you
want to run instead of explorer.exe (which can then start explorer.exe
itself), but there's one catch: explorer.exe checks this line to see if
it's the login shell.  It does this by seeing if the basename of the first
word is "explorer.exe", and if it is, it will bring up the task bar,
desktop, etc., otherwise it'll just show your "Windows Explorer" window.
My solution to this problem is to make a copy of start.exe called
"explorer.exe".  Explorer doesn't check the parameters, so here's my line:

shell=d:\usr\local\lib\winlogin\explorer.exe d:\usr\local\bin\winlogin.pif

winlogin.pif runs a batch file.  It'd be nice if it was a bash script, but
if you run the real Explorer from a cygwin app, that tty stays associated
with Explorer, and if you have any console apps that are run via context
menus in Explorer (e.g. a "Command Prompt Here" option when you
right-click a folder), most of the output from 16-bit and all of the
output from 32-bit apps will go to the tty you launched Explorer from, not
the console that was opened for the app.  I tried all sorts of ways to
dissociate the tty from Explorer: both 16 and 32-bit console and GUI apps
that execute Explorer, but I still couldn't get around this problem.  For
some strange reason, console apps run any other way (i.e. by opening them
in a folder or selecting them from the Start Menu) weren't affected.
Shame I'm so used to being able to right-click and pick "MS-DOS" or
"bash"..

2. Now you have to make the batch file.  You can run bash scripts from
here if you like, but it has to be the batch file that executes Explorer.
If you want to set environment variables, you have to use "winset" (came
with the Windows 95 resource kit) or else (off the top of my head) all
console apps won't see the variables.  However, if you use winset,
Explorer won't see the variables, and neither will non-console apps, so
the easiest solution is to use winset and then start explorer in this way:

start /m %COMSPEC% /c c:\windows\explorer.exe

Doing that creates a new console window with new environment variables set
by winset (the console you use winset in won't see the effects of winset)
so that Explorer can see them.

I guess that's about it.  As I said, this was for Windows 95, so it might
be easier, or be done completely differently, on NT/2000.  I've never
looked for a system.ini on an NT machine, so I don't even know if they
have them.  Even if this does work, I guess you'd have to do a bit of work
to adapt ssh-agent to work with the batch file and use winset to set
environment variables.

Good luck!
DOS

> Does anyone know how to start the explorer.exe process from ssh-agent when
> you log into an NT/2000 system?
> 
> I'm trying to do the same as "ssh-agent /etc/X11/xinit/xclients" to make the
> ssh agent available to all programs through the environment variables.
> 
> >From within a cygwin bash shell I can do "exec ssh-agent bash" (followed by
> ssh-add) and have everything work from that shell, but of course the
> variables don't exist in any other shells.
> 
> It would seem like having ssh-agent launch explorer when you log in would
> work, but I don't know what to tweak where in the registry.


--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple

Re: cygwin OpenSSH ssh-agent on Win2000

[Egor Duda]

Hi!

you can use the following trick:

set SSH_AUTH_SOCK=/tmp/ssh-%USERNAME%/current-agent-socket

in your global windows enwironment and run this script at startup

-------------------snip--------------------
#!/bin/sh

echo $SSH_AUTH_SOCK

global_ssh_auth_sock=$SSH_AUTH_SOCK

wkill ssh-agent1.exe
rm -f /tmp/ssh-$USERNAME/current-agent-socket
rm -f /tmp/ssh-$USERNAME/agent-socket-*
eval `ssh-agent1.exe -s`
ln -s $SSH_AUTH_SOCK /tmp/ssh-$USERNAME/current-agent-socket

export SSH_AUTH_SOCK=$global_ssh_auth_sock

-------------------snip--------------------

however,  note  that  cygwin's  unix domain sockets are _FUNDAMENTALLY
INSECURE_  and  so  i  strongly  _DISCOURAGE_ usage of ssh-agent under
cygwin.

when  you  run  ssh-agent  under  cygwin  it creates AF_UNIX socket in
/tmp/ssh-$USERNAME/  directory.  under  cygwin  AF_UNIX  sockets  are
emulated  via  AF_INET sockets. you can easily see that if you'll look
into  /tmp/ssh-$USERNAME/agent-socket-*  file  via notepad. you'll see
the something like

!<socket >2080

then run "netstat -a" and surprise! you have some program listening to
port  2080.  it's  ssh-agent.  when  ssh  receives  RSA challenge from
server,  it  refers to corresponding /tmp/ssh-$USERNAME/agent-socket-*
(under  cygwin,  in  our  case,  that  means  it'll open connection to
localhost:2080)  and  asks  ssh-agent  to  process  RSA challenge with
private  key  it has, and then it simply passes response received from
ssh-agent to server.

under  unix, such scenario works without problems, because unix kernel
checks  permissions  when  program tries to access AF_UNIX socket. For
AF_INET    sockets,   however,   connections   are   anonymous  (read
"insecure").   Imagine,  that  you  have  cygwin  ssh-agent  running.
malicious  hacker  may  portscan  your  box,  locate open port used by
ssh-agent,  open  connection to your ssh server, receive RSA challenge
from it, send it to your ssh-agent via open port he found, receive RSA
response,  send  it to ssh server and voila, he successfully logged in
to your server as you.

To  Corinna: should cygwin's openssh port contain ssh-agent at all? or
perhaps it should issue some warning?

>> Does anyone know how to start the explorer.exe process from ssh-agent when
>> you log into an NT/2000 system?
>> 
>> I'm trying to do the same as "ssh-agent /etc/X11/xinit/xclients" to make the
>> ssh agent available to all programs through the environment variables.
>> 
>> >From within a cygwin bash shell I can do "exec ssh-agent bash" (followed by
>> ssh-add) and have everything work from that shell, but of course the
>> variables don't exist in any other shells.
>> 
>> It would seem like having ssh-agent launch explorer when you log in would
>> work, but I don't know what to tweak where in the registry.

Egor.            mailto:deo@logos-m.ru ICQ 5165414 FidoNet 2:5020/496.19



--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple

RE: cygwin OpenSSH ssh-agent on Win2000

[David Peterson]

All the answers I got to this question required running ssh-agent from
within some other cmd or bash shell and then possibly using setx to make the
environment variables visible to other programs

That works fine except that you can't close the window that housed the shell
used to run ssh-agent. Otherwise you kill the shell and ssh-agent.

I wrote the small program shown below (compiled with VC++, not gcc) and
added a value to the registry key
"HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon".
The value is named "Shell" the data is the full path to the compiled
program.

It seems to work okay - there is a small flash of a cmd window coming and
going when I log in, but ssh-agent stays running. I can open a shell and run
ssh-add and everything is set.

-dave.

#include <windows.h>

int main(int argc, char* argv[])
{
 DWORD			creationFlags;
 STARTUPINFO		startupInfo;
 PROCESS_INFORMATION	information;

 creationFlags = 0;
 memset(&startupInfo, 0, sizeof(startupInfo));
 memset(&information, 0, sizeof(information));

 creationFlags = (CREATE_NO_WINDOW | DETACHED_PROCESS);
 startupInfo.cb = sizeof(startupInfo);

 BOOL result = CreateProcess(NULL,
  "c:\\progra~1\\cygwin\\bin\\ssh-agent.exe c:\\winnt\\explorer.exe",
  NULL,
  NULL,
  true,
  creationFlags,
  NULL,
  NULL,
  &startupInfo,
  &information);
	
 return 0;
}


-----Original Message-----
From: Egor Duda [ mailto:deo@logos-m.ru ]
Sent: Friday, December 22, 2000 1:28 AM
To: David O'Shea
Cc: David Peterson; cygwin@cygwin.com
Subject: Re: cygwin OpenSSH ssh-agent on Win2000


Hi!

you can use the following trick:

set SSH_AUTH_SOCK=/tmp/ssh-%USERNAME%/current-agent-socket

in your global windows enwironment and run this script at startup

-------------------snip--------------------
#!/bin/sh

echo $SSH_AUTH_SOCK

global_ssh_auth_sock=$SSH_AUTH_SOCK

wkill ssh-agent1.exe
rm -f /tmp/ssh-$USERNAME/current-agent-socket
rm -f /tmp/ssh-$USERNAME/agent-socket-*
eval `ssh-agent1.exe -s`
ln -s $SSH_AUTH_SOCK /tmp/ssh-$USERNAME/current-agent-socket

export SSH_AUTH_SOCK=$global_ssh_auth_sock

-------------------snip--------------------

however,  note  that  cygwin's  unix domain sockets are _FUNDAMENTALLY
INSECURE_  and  so  i  strongly  _DISCOURAGE_ usage of ssh-agent under
cygwin.

when  you  run  ssh-agent  under  cygwin  it creates AF_UNIX socket in
/tmp/ssh-$USERNAME/  directory.  under  cygwin  AF_UNIX  sockets  are
emulated  via  AF_INET sockets. you can easily see that if you'll look
into  /tmp/ssh-$USERNAME/agent-socket-*  file  via notepad. you'll see
the something like

!<socket >2080

then run "netstat -a" and surprise! you have some program listening to
port  2080.  it's  ssh-agent.  when  ssh  receives  RSA challenge from
server,  it  refers to corresponding /tmp/ssh-$USERNAME/agent-socket-*
(under  cygwin,  in  our  case,  that  means  it'll open connection to
localhost:2080)  and  asks  ssh-agent  to  process  RSA challenge with
private  key  it has, and then it simply passes response received from
ssh-agent to server.

under  unix, such scenario works without problems, because unix kernel
checks  permissions  when  program tries to access AF_UNIX socket. For
AF_INET    sockets,   however,   connections   are   anonymous  (read
"insecure").   Imagine,  that  you  have  cygwin  ssh-agent  running.
malicious  hacker  may  portscan  your  box,  locate open port used by
ssh-agent,  open  connection to your ssh server, receive RSA challenge
from it, send it to your ssh-agent via open port he found, receive RSA
response,  send  it to ssh server and voila, he successfully logged in
to your server as you.

To  Corinna: should cygwin's openssh port contain ssh-agent at all? or
perhaps it should issue some warning?

>> Does anyone know how to start the explorer.exe process from ssh-agent
when
>> you log into an NT/2000 system?
>> 
>> I'm trying to do the same as "ssh-agent /etc/X11/xinit/xclients" to make
the
>> ssh agent available to all programs through the environment variables.
>> 
>> >From within a cygwin bash shell I can do "exec ssh-agent bash" (followed
by
>> ssh-add) and have everything work from that shell, but of course the
>> variables don't exist in any other shells.
>> 
>> It would seem like having ssh-agent launch explorer when you log in would
>> work, but I don't know what to tweak where in the registry.

Egor.            mailto:deo@logos-m.ru ICQ 5165414 FidoNet 2:5020/496.19



--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple

--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple