From mboxrd@z Thu Jan 1 00:00:00 1970 From: Egor Duda To: "David O'Shea" Cc: David Peterson , cygwin@cygwin.com Subject: Re: cygwin OpenSSH ssh-agent on Win2000 Date: Fri, 22 Dec 2000 01:31:00 -0000 Message-id: <124160032744.20001222122818@logos-m.ru> References: X-SW-Source: 2000-12/msg01058.html Hi! you can use the following trick: set SSH_AUTH_SOCK=/tmp/ssh-%USERNAME%/current-agent-socket in your global windows enwironment and run this script at startup -------------------snip-------------------- #!/bin/sh echo $SSH_AUTH_SOCK global_ssh_auth_sock=$SSH_AUTH_SOCK wkill ssh-agent1.exe rm -f /tmp/ssh-$USERNAME/current-agent-socket rm -f /tmp/ssh-$USERNAME/agent-socket-* eval `ssh-agent1.exe -s` ln -s $SSH_AUTH_SOCK /tmp/ssh-$USERNAME/current-agent-socket export SSH_AUTH_SOCK=$global_ssh_auth_sock -------------------snip-------------------- however, note that cygwin's unix domain sockets are _FUNDAMENTALLY INSECURE_ and so i strongly _DISCOURAGE_ usage of ssh-agent under cygwin. when you run ssh-agent under cygwin it creates AF_UNIX socket in /tmp/ssh-$USERNAME/ directory. under cygwin AF_UNIX sockets are emulated via AF_INET sockets. you can easily see that if you'll look into /tmp/ssh-$USERNAME/agent-socket-* file via notepad. you'll see the something like !2080 then run "netstat -a" and surprise! you have some program listening to port 2080. it's ssh-agent. when ssh receives RSA challenge from server, it refers to corresponding /tmp/ssh-$USERNAME/agent-socket-* (under cygwin, in our case, that means it'll open connection to localhost:2080) and asks ssh-agent to process RSA challenge with private key it has, and then it simply passes response received from ssh-agent to server. under unix, such scenario works without problems, because unix kernel checks permissions when program tries to access AF_UNIX socket. For AF_INET sockets, however, connections are anonymous (read "insecure"). Imagine, that you have cygwin ssh-agent running. malicious hacker may portscan your box, locate open port used by ssh-agent, open connection to your ssh server, receive RSA challenge from it, send it to your ssh-agent via open port he found, receive RSA response, send it to ssh server and voila, he successfully logged in to your server as you. To Corinna: should cygwin's openssh port contain ssh-agent at all? or perhaps it should issue some warning? >> Does anyone know how to start the explorer.exe process from ssh-agent when >> you log into an NT/2000 system? >> >> I'm trying to do the same as "ssh-agent /etc/X11/xinit/xclients" to make the >> ssh agent available to all programs through the environment variables. >> >> >From within a cygwin bash shell I can do "exec ssh-agent bash" (followed by >> ssh-add) and have everything work from that shell, but of course the >> variables don't exist in any other shells. >> >> It would seem like having ssh-agent launch explorer when you log in would >> work, but I don't know what to tweak where in the registry. Egor. mailto:deo@logos-m.ru ICQ 5165414 FidoNet 2:5020/496.19 -- Want to unsubscribe from this list? Check out: http://cygwin.com/ml/#unsubscribe-simple