546 lines
15 KiB
Groff
546 lines
15 KiB
Groff
.\"-
|
|
.\" Copyright (c) 2002 Eivind Eklund
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer
|
|
.\" in this position and unchanged.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. The name of the author may not be used to endorse or promote products
|
|
.\" derived from this software without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.\" $FreeBSD$
|
|
.\"
|
|
.Dd January 26, 2002
|
|
.Dt SAFESH 1
|
|
.Sh NAME
|
|
.Nm safesh
|
|
.Nd safe key manager for OpenSSH
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Oo Ar user@ Oc Ns Ar host
|
|
.Oo
|
|
.Fl Fl
|
|
.Ar ssh-parameters ...
|
|
.Oc
|
|
.Nm safeshinstall
|
|
.Oo Ar user@ Oc Ns Ar host
|
|
.Nm cvs-safesh
|
|
.Oo Ar user@ Oc Ns Ar host
|
|
.Op Ar command
|
|
.Nm scpsh
|
|
.Oo Ar user@ Oc Ns Ar host
|
|
.Sh DESCRIPTION
|
|
NOTE: This text often refers to
|
|
.Va $VARIABLE
|
|
in description.
|
|
What each of the references will be replaced with when
|
|
.Nm
|
|
runs is described at the end of the manpage.
|
|
.Pp
|
|
The
|
|
.Nm
|
|
utility
|
|
automatically creates one DSA key (called an identity) for each host you
|
|
connect to, and stores this in a separate agent for each host.
|
|
It is also capable of adding keys for other hosts to this agent, so you can
|
|
use it for restricted forwarding of authentication.
|
|
Because each host uses its own
|
|
.Xr ssh-agent 1 ,
|
|
the hosts you forward authentication to can only get at the authentication for
|
|
the hosts you specifically say it should be able to get at.
|
|
.Pp
|
|
When run,
|
|
.Nm :
|
|
.Bl -enum
|
|
.It
|
|
Normalizes the hostname you are talking about, using the
|
|
.Pa $HOME/.safesh/map
|
|
file.
|
|
.It
|
|
Checks if the user and host has an SSH DSA key in
|
|
.Pa $HOME/.safesh ,
|
|
and creates one using
|
|
.Xr ssh-keygen 1
|
|
if it does not.
|
|
The DSA key is stored in
|
|
.Pa $HOME/.safesh/$USER@$HOST-$PORT/dsa_id .
|
|
You will be asked for a passphrase when the key is created.
|
|
Note that if you use the same passphrase for all
|
|
.Nm
|
|
keys, you will only be asked for the passphrase once per host you connect to.
|
|
If you use different passphrases, you will be asked once per forwarded key
|
|
for each host you connect to (after a machine startup).
|
|
.It
|
|
Checks if you have the
|
|
.Xr ssh-agent 1
|
|
for this host running, and starts it if not.
|
|
.It
|
|
Checks what keys you are supposed to have active when connecting to this host
|
|
(the key for the host and any keys listed in
|
|
.Pa $HOME/.safesh/$USER@$HOST-$PORT/extra_keys ) ,
|
|
and which of these are missing from the active agent.
|
|
.It
|
|
If any identities were missing from the agent, it executes
|
|
.Xr ssh-add 1
|
|
to add them to the agent.
|
|
.It
|
|
Executes
|
|
.Xr ssh 1
|
|
with either
|
|
.Ar $USER@$HOST
|
|
or the extra command line supplied by the user.
|
|
.El
|
|
.Sh BASIC CONCEPT DESCRIPTION
|
|
The
|
|
.Nm
|
|
utility
|
|
is an authentication manager for OpenSSH.
|
|
It is an attempt at making it easy to use the built-in authentication features
|
|
of OpenSSH securely.
|
|
By default, the SSH security model is that all hosts the
|
|
user connects to are trusted, and are given complete access, including the
|
|
ability to authenticate as the user towards other hosts if the user is running
|
|
.Xr ssh-agent 1 .
|
|
OpenSSH has improved this security model somewhat by not forwarding SSH
|
|
authentication by default, but still allows the host that you connect to
|
|
to grab your credentials and authenticate as you to anybody else when you
|
|
do authentication forwarding to it.
|
|
.Sh SIMPLE HOWTO
|
|
Starting to make use of
|
|
.Nm
|
|
is trivial:
|
|
.Bl -enum
|
|
.It
|
|
Do
|
|
.Dq Li "safeshinstall <[user@]hostname>" .
|
|
.Pp
|
|
This will ask for a passphrase (three times), create a directory
|
|
.Pa $HOME/.safesh/<user>@<hostname>-22 ,
|
|
which contains authentication
|
|
data for your user at
|
|
.Aq Ar hostname ,
|
|
and add the contents of
|
|
.Pa $HOME/.safesh/<user>@<hostname>-22/id_dsa.pub
|
|
to
|
|
.Pa $HOME/.ssh/authorized_keys2
|
|
on the host you connect to.
|
|
The latter will result in
|
|
.Xr ssh 1
|
|
asking for authentication in the fashion you already use (most likely by
|
|
asking for your password).
|
|
.It
|
|
Log in with
|
|
.Dq Li "safesh <hostname>"
|
|
from now on.
|
|
.Pp
|
|
This will ask you for a passphrase if you have not logged into that host this
|
|
session, and otherwise just let right in.
|
|
.El
|
|
.Sh UTILITY COMMANDS
|
|
The
|
|
.Nm
|
|
utility
|
|
ships with two utility hacks to work around the fact that it is not a complete
|
|
.Xr ssh 1
|
|
replacement,
|
|
.Nm scpsh
|
|
and
|
|
.Nm cvs-safesh .
|
|
.Pp
|
|
The
|
|
.Nm scpsh
|
|
utility
|
|
is for supporting use of
|
|
.Xr scp 1
|
|
with
|
|
.Nm .
|
|
The
|
|
.Nm scpsh
|
|
.Oo Ar user@ Oc Ns Ar host
|
|
command
|
|
will start a new interactive shell (using the
|
|
.Ev SHELL
|
|
environment variable to determine which it should be), with the environment
|
|
variables for using
|
|
.Xr ssh-agent 1
|
|
to authenticate to
|
|
.Oo Ar user@ Oc Ns Ar host
|
|
already set.
|
|
This allows use of
|
|
.Xr scp 1
|
|
without having to type passwords to authenticate.
|
|
.Pp
|
|
The
|
|
.Nm cvs-safesh
|
|
utility
|
|
makes it easy to use
|
|
.Nm
|
|
along with
|
|
.Xr cvs 1
|
|
and other programs that use
|
|
.Xr rsh 1
|
|
or
|
|
.Xr ssh 1
|
|
with the format
|
|
.Dq Li "ssh <user@host> <command>"
|
|
or
|
|
.Dq Li "ssh <host> <command>" .
|
|
To use with
|
|
.Xr cvs 1 ,
|
|
just set
|
|
.Ev CVS_RSH
|
|
to
|
|
.Dq Li cvs-safesh
|
|
instead of
|
|
.Dq Li ssh .
|
|
.Sh FILES
|
|
.Bl -tag -width ".Pa $HOME/.safesh"
|
|
.It Pa $HOME/.safesh/
|
|
Directory containing information for
|
|
.Nm .
|
|
.It Pa $HOME/.safesh/map
|
|
Mapping file for
|
|
.Nm ,
|
|
describing how to map host names to their canonical form.
|
|
This is usually used to map short names to their long form.
|
|
The format of the file is one mapping per line, what it is mapped from as the
|
|
first word, what it is mapped to as the second.
|
|
.Pp
|
|
It is also possible to use this to map domain names to their safe form by having
|
|
the name of the host as the first parameter, and the name of the host with a
|
|
period
|
|
.Pq Ql .\&
|
|
at the end as the second parameter,
|
|
e.g.,
|
|
.Dq Li freefall.freebsd.org freefall.freebsd.org. .
|
|
.It Pa $HOME/.safesh/$USER@$HOST-$PORT/
|
|
Directory with data for a particular hostname.
|
|
Automatically generated on first connect to a host with
|
|
.Nm .
|
|
.It Pa $HOME/.safesh/$USER@$HOST-$PORT/dsa_id
|
|
Private key for use to authenticate as
|
|
.Ar $USER@$HOST .
|
|
Automatically generated on first connect to a host with
|
|
.Nm .
|
|
.It Pa $HOME/.safesh/$USER@$HOST-$PORT/dsa_id.pub
|
|
Public key for use by
|
|
.Ar $HOST
|
|
to authenticate
|
|
.Ar $USER .
|
|
To connect to
|
|
.Ar $HOST
|
|
as
|
|
.Ar $USER
|
|
using
|
|
.Nm
|
|
without giving a password, add the contents of this file
|
|
to the end of
|
|
.Pa $HOME/.ssh/authorized_keys2 .
|
|
Automatically generated on first connect to a host with
|
|
.Nm .
|
|
.It Pa $HOME/.safesh/$USER@$HOST-$PORT/$AUTHTARGET
|
|
Private key for use when
|
|
.Ar $HOST
|
|
authenticates towards
|
|
.Ar $AUTHTARGET .
|
|
This is used in preference to
|
|
.Pa $HOME/.safesh/$AUTHTARGET/dsa_id
|
|
for authentication forwarding through
|
|
.Ar $HOST
|
|
to
|
|
.Ar $AUTHTARGET .
|
|
The file is only used if
|
|
.Ar $AUTHTARGET
|
|
is listed in
|
|
.Pa $HOME/.safesh/$USER@$HOST-$PORT/extra_keys .
|
|
This file is not generated automatically by
|
|
.Nm .
|
|
It is only present if you have generated it using
|
|
.Xr ssh-keygen 1 .
|
|
Note that it is usually more than useless (can pose a security risk) to copy a
|
|
key used for other authentication to this location.
|
|
.Pp
|
|
The use of explict authentication files for authentication forwarding is
|
|
primarily for protection against the case where the machine you run
|
|
.Nm
|
|
on is compromised.
|
|
Using this file, you can use a separate passphrase from the one used for the
|
|
key for connecting directly to
|
|
.Ar $AUTHTARGET ;
|
|
that key need not even exist.
|
|
By using IP restrictions in the
|
|
.Pa authorized_keys
|
|
file for the key, you can make
|
|
sure that the host
|
|
.Nm
|
|
runs on cannot connect to
|
|
.Ar $AUTHTARGET
|
|
using the authentication forwarding
|
|
key.
|
|
The use of a separate forwarding key can also be used in combination with a
|
|
modified SSH to log which key was used where, and thus track key propagation.
|
|
.It Pa $HOME/.safesh/$USER@$HOST-$PORT/$AUTHTARGET.pub
|
|
Public key corresponding to the private key described above.
|
|
.It Pa $HOME/.safesh/$USER@$HOST-$PORT/extra_keys
|
|
List of extra keys to make available for this host.
|
|
Each line in the file is first attempted matched against the host/user/port
|
|
database in
|
|
.Pa $HOME/.safesh/ .
|
|
Username and/or port is added if just the hostname is specified
|
|
.Pa extra_keys ,
|
|
and the hostname is always normalized using the map file.
|
|
If a key exists in
|
|
.Pa $HOME/.safesh/ ,
|
|
.Nm
|
|
attempts to add that.
|
|
Otherwise, it first tries to look for the line as a file relative to
|
|
.Pa / ,
|
|
then relative to
|
|
.Pa $HOME .
|
|
If it does not find either of these,
|
|
.Nm
|
|
will exit with an error message.
|
|
If it finds one, it will add it using
|
|
.Xr ssh-add 1 .
|
|
.It Pa $HOME/.safesh/$USER@$HOST-$PORT/activeagent-$YOURHOST.sh
|
|
Bourne shell (see
|
|
.Xr sh 1 ,
|
|
.Xr bash 1 ,
|
|
.Xr zsh 1 )
|
|
script for setting up the environment variables for a particular
|
|
.Xr ssh-agent 1
|
|
process used for this host.
|
|
Only valid if
|
|
.Nm
|
|
has been run against that host as this user since the machine
|
|
.Nm
|
|
runs on was last booted.
|
|
Note that this file must be source'd, not just run as a shell script.
|
|
.It Pa $HOME/.safesh/$USER@$HOST-$PORT/activeagent-$YOURHOST.csh
|
|
CSH (see
|
|
.Xr csh 1 ,
|
|
.Xr tcsh 1 )
|
|
script for setting up the environment variables for a particular
|
|
.Xr ssh-agent 1
|
|
process used for this host.
|
|
Only valid if
|
|
.Nm
|
|
has been run against that host as this user since the machine
|
|
.Nm
|
|
runs on was last booted.
|
|
Note that this file must be source'd, not just run as a shell script.
|
|
.El
|
|
.Sh AUTHORS
|
|
The
|
|
.Nm
|
|
utility
|
|
was written by
|
|
.An Eivind Eklund Aq eivind@FreeBSD.org .
|
|
.Sh SEE ALSO
|
|
.Xr ssh 1 ,
|
|
.Xr ssh-add 1 ,
|
|
.Xr ssh-agent 1 ,
|
|
.Xr ssh-keygen 1
|
|
.Sh KNOWN ISSUES
|
|
The
|
|
.Nm
|
|
utility
|
|
does not handle whitespace in filenames specified in
|
|
.Pa extra_keys
|
|
correctly.
|
|
.Pp
|
|
The
|
|
.Xr ssh-agent 1
|
|
processes that are started by
|
|
.Nm
|
|
will hang around until next reboot unless
|
|
you put the
|
|
.Dq Li "killall ssh-agent"
|
|
command in
|
|
.Pa .logout
|
|
or similar.
|
|
This allows any login to your account to use your authentication towards
|
|
machines you have connected to (including anybody with root on the box),
|
|
persisting after you log out.
|
|
You must always assume that root can grab your authentication at the moment
|
|
you run do it, so this is only an issue in that the authentication stays
|
|
available longer.
|
|
This is not resolvable without rewriting
|
|
.Xr ssh-agent 1 .
|
|
.Sh MISSING FEATURES
|
|
.Bl -tag -width 4n
|
|
.It Em Two-step secure SSH with an untrusted host in the middle
|
|
It is possible to use the port forwarding capability of
|
|
.Xr ssh 1
|
|
to forward
|
|
authentication through another server, without allowing the other server to
|
|
indepently authenticate to a third party, and without allowing it to see
|
|
what is going on in your connection.
|
|
This is based on just forwarding a tunnel through the untrusted host, and
|
|
doing direct authentication to the server on the other side.
|
|
With the present version of OpenSSH, this has the problem of leaving the
|
|
actual port forwarding open while the tunnel is open, allowing other users to
|
|
set up their own tunnels, and weakening another side of the security model.
|
|
.It Em Read out fingerprints
|
|
The
|
|
.Nm
|
|
utility
|
|
should make it trivial to retrieve the fingerprint for:
|
|
.Bl -enum
|
|
.It
|
|
The host it is running on.
|
|
.Pp
|
|
This must presently be done with
|
|
.Dq Li "ssh-keygen -l /etc/ssh/ssh_host_key.pub"
|
|
(to get the fingerprint for SSH 1) and
|
|
.Dq Li "ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key"
|
|
(for SSH 2).
|
|
.It
|
|
Other hosts, as registered in the
|
|
.Pa known_host
|
|
file on the host it is running
|
|
on.
|
|
.Pp
|
|
This must presently be done by manual inspection.
|
|
.El
|
|
.It Em Merge Pa known_hosts
|
|
The
|
|
.Nm
|
|
utility
|
|
should make it trivial to merge
|
|
.Pa known_hosts
|
|
and
|
|
.Pa known_hosts2
|
|
with ones from
|
|
another host, including retrieving and uploading
|
|
.Pa known_hosts
|
|
as appropriate.
|
|
.It Em Manage Pa .ssh/authorized_keys2
|
|
The
|
|
.Nm
|
|
utility
|
|
should be able to automatically remove keys from the
|
|
.Pa authorized_keys2
|
|
file
|
|
on other machines, to make everything about the
|
|
.Nm
|
|
process self-contained.
|
|
.It Em Manage setup of key limitations
|
|
When managing
|
|
.Pa authorized_keys2 ,
|
|
it is also reasonable to manage key limitation
|
|
in this.
|
|
IP restrictions
|
|
.Pq Qq Li from=
|
|
should be handled to make it easy to create setups
|
|
where the local machine does not have direct access to a target.
|
|
Command restrictions etc. would be good to have just for completeness.
|
|
.It Em Emulate the entire Xr ssh 1 Em syntax
|
|
Presently, the
|
|
.Nm
|
|
utility has a fairly weird syntax.
|
|
This is because it is a fairly quick hack, just made to be usable.
|
|
Later, it would be nice to rewrite it to be fully compatible with
|
|
.Xr ssh 1 .
|
|
This would allow use as a drop-in replacement.
|
|
.It Em Description of the trust/threat/security model
|
|
It would be nice to have a complete description of the normal SSH threat model
|
|
as well as the
|
|
.Nm
|
|
threat model, in order to make people fully conscious of their own model.
|
|
.It Em Emulate Xr scp 1
|
|
The
|
|
.Xr scp 1
|
|
utility
|
|
is very useful, and the only way to use it with
|
|
.Nm
|
|
at the moment is through a subshell created by
|
|
.Nm scpsh .
|
|
An ideal
|
|
.Nm
|
|
implementation would include wrapping of
|
|
.Xr scp 1 ,
|
|
too.
|
|
.El
|
|
.Sh VARIABLE REPLACEMENT IN DESCRIPTIONS
|
|
.Bl -tag -width ".Va $AUTHTARGET"
|
|
.It Va $HOME
|
|
Path to your home directory.
|
|
.It Va $HOST
|
|
The name of the host you are running
|
|
.Nm
|
|
towards.
|
|
This is the machine you are
|
|
.Xr ssh 1 Ns 'ing
|
|
into.
|
|
.It Va $YOURHOST
|
|
The name of the host you are running
|
|
.Nm
|
|
on, as output by
|
|
.Xr hostname 1 .
|
|
This is the name of the machine you are
|
|
.Xr ssh 1 Ns 'ing
|
|
from.
|
|
The use of
|
|
.Va $YOURHOST
|
|
makes
|
|
.Nm
|
|
safe to use with NFS-mounted home directories.
|
|
.It Va $AUTHTARGET
|
|
The authentication target for an authentication forwarding.
|
|
This is
|
|
.Em not
|
|
the same as
|
|
.Va $HOST .
|
|
.Va $AUTHTARGET
|
|
is a machine you are
|
|
.Xr ssh 1 Ns 'ing
|
|
to
|
|
.Em from
|
|
.Va $HOST .
|
|
The format of
|
|
.Va $AUTHTARGET
|
|
is
|
|
.Sm off
|
|
.Ao Ar user Ac @ Ao Ar somehost Ac - Aq Ar someport ,
|
|
.Sm on
|
|
where
|
|
.Aq Aq user
|
|
defaults to the username you run
|
|
.Nm
|
|
as, and
|
|
.Aq Aq someport
|
|
default to 22 (and it is not possible to set anything
|
|
else at this time).
|
|
.It Va $USER
|
|
The username used on
|
|
.Va $HOST ;
|
|
defaults to the same as the
|
|
username you have on
|
|
.Va $YOURHOST ,
|
|
but will be different if you do
|
|
.Dq Li "safesh user@host"
|
|
instead of just
|
|
.Dq Li "safesh host" .
|
|
.It Va $PORT
|
|
The port used on
|
|
.Va $HOST .
|
|
Presently always 22.
|
|
.El
|