Mail Archives: cygwin/2000/12/22/04:32:38
Hi!
you can use the following trick:
set SSH_AUTH_SOCK=/tmp/ssh-%USERNAME%/current-agent-socket
in your global windows enwironment and run this script at startup
-------------------snip--------------------
#!/bin/sh
echo $SSH_AUTH_SOCK
global_ssh_auth_sock=$SSH_AUTH_SOCK
wkill ssh-agent1.exe
rm -f /tmp/ssh-$USERNAME/current-agent-socket
rm -f /tmp/ssh-$USERNAME/agent-socket-*
eval `ssh-agent1.exe -s`
ln -s $SSH_AUTH_SOCK /tmp/ssh-$USERNAME/current-agent-socket
export SSH_AUTH_SOCK=$global_ssh_auth_sock
-------------------snip--------------------
however, note that cygwin's unix domain sockets are _FUNDAMENTALLY
INSECURE_ and so i strongly _DISCOURAGE_ usage of ssh-agent under
cygwin.
when you run ssh-agent under cygwin it creates AF_UNIX socket in
/tmp/ssh-$USERNAME/ directory. under cygwin AF_UNIX sockets are
emulated via AF_INET sockets. you can easily see that if you'll look
into /tmp/ssh-$USERNAME/agent-socket-* file via notepad. you'll see
the something like
!<socket >2080
then run "netstat -a" and surprise! you have some program listening to
port 2080. it's ssh-agent. when ssh receives RSA challenge from
server, it refers to corresponding /tmp/ssh-$USERNAME/agent-socket-*
(under cygwin, in our case, that means it'll open connection to
localhost:2080) and asks ssh-agent to process RSA challenge with
private key it has, and then it simply passes response received from
ssh-agent to server.
under unix, such scenario works without problems, because unix kernel
checks permissions when program tries to access AF_UNIX socket. For
AF_INET sockets, however, connections are anonymous (read
"insecure"). Imagine, that you have cygwin ssh-agent running.
malicious hacker may portscan your box, locate open port used by
ssh-agent, open connection to your ssh server, receive RSA challenge
from it, send it to your ssh-agent via open port he found, receive RSA
response, send it to ssh server and voila, he successfully logged in
to your server as you.
To Corinna: should cygwin's openssh port contain ssh-agent at all? or
perhaps it should issue some warning?
>> Does anyone know how to start the explorer.exe process from ssh-agent when
>> you log into an NT/2000 system?
>>
>> I'm trying to do the same as "ssh-agent /etc/X11/xinit/xclients" to make the
>> ssh agent available to all programs through the environment variables.
>>
>> >From within a cygwin bash shell I can do "exec ssh-agent bash" (followed by
>> ssh-add) and have everything work from that shell, but of course the
>> variables don't exist in any other shells.
>>
>> It would seem like having ssh-agent launch explorer when you log in would
>> work, but I don't know what to tweak where in the registry.
Egor. mailto:deo AT logos-m DOT ru ICQ 5165414 FidoNet 2:5020/496.19
--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple
- Raw text -