This is the mail archive of the
cygwin@sources.redhat.com
mailing list for the Cygwin project.
RE: cygwin OpenSSH ssh-agent on Win2000
- To: "'cygwin at cygwin dot com'" <cygwin at cygwin dot com>
- Subject: RE: cygwin OpenSSH ssh-agent on Win2000
- From: David Peterson <David dot Peterson at mail dot idrive dot com>
- Date: Tue, 2 Jan 2001 18:15:22 -0800
All the answers I got to this question required running ssh-agent from
within some other cmd or bash shell and then possibly using setx to make the
environment variables visible to other programs
That works fine except that you can't close the window that housed the shell
used to run ssh-agent. Otherwise you kill the shell and ssh-agent.
I wrote the small program shown below (compiled with VC++, not gcc) and
added a value to the registry key
"HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon".
The value is named "Shell" the data is the full path to the compiled
program.
It seems to work okay - there is a small flash of a cmd window coming and
going when I log in, but ssh-agent stays running. I can open a shell and run
ssh-add and everything is set.
-dave.
#include <windows.h>
int main(int argc, char* argv[])
{
DWORD creationFlags;
STARTUPINFO startupInfo;
PROCESS_INFORMATION information;
creationFlags = 0;
memset(&startupInfo, 0, sizeof(startupInfo));
memset(&information, 0, sizeof(information));
creationFlags = (CREATE_NO_WINDOW | DETACHED_PROCESS);
startupInfo.cb = sizeof(startupInfo);
BOOL result = CreateProcess(NULL,
"c:\\progra~1\\cygwin\\bin\\ssh-agent.exe c:\\winnt\\explorer.exe",
NULL,
NULL,
true,
creationFlags,
NULL,
NULL,
&startupInfo,
&information);
return 0;
}
-----Original Message-----
From: Egor Duda [mailto:deo@logos-m.ru]
Sent: Friday, December 22, 2000 1:28 AM
To: David O'Shea
Cc: David Peterson; cygwin@cygwin.com
Subject: Re: cygwin OpenSSH ssh-agent on Win2000
Hi!
you can use the following trick:
set SSH_AUTH_SOCK=/tmp/ssh-%USERNAME%/current-agent-socket
in your global windows enwironment and run this script at startup
-------------------snip--------------------
#!/bin/sh
echo $SSH_AUTH_SOCK
global_ssh_auth_sock=$SSH_AUTH_SOCK
wkill ssh-agent1.exe
rm -f /tmp/ssh-$USERNAME/current-agent-socket
rm -f /tmp/ssh-$USERNAME/agent-socket-*
eval `ssh-agent1.exe -s`
ln -s $SSH_AUTH_SOCK /tmp/ssh-$USERNAME/current-agent-socket
export SSH_AUTH_SOCK=$global_ssh_auth_sock
-------------------snip--------------------
however, note that cygwin's unix domain sockets are _FUNDAMENTALLY
INSECURE_ and so i strongly _DISCOURAGE_ usage of ssh-agent under
cygwin.
when you run ssh-agent under cygwin it creates AF_UNIX socket in
/tmp/ssh-$USERNAME/ directory. under cygwin AF_UNIX sockets are
emulated via AF_INET sockets. you can easily see that if you'll look
into /tmp/ssh-$USERNAME/agent-socket-* file via notepad. you'll see
the something like
!<socket >2080
then run "netstat -a" and surprise! you have some program listening to
port 2080. it's ssh-agent. when ssh receives RSA challenge from
server, it refers to corresponding /tmp/ssh-$USERNAME/agent-socket-*
(under cygwin, in our case, that means it'll open connection to
localhost:2080) and asks ssh-agent to process RSA challenge with
private key it has, and then it simply passes response received from
ssh-agent to server.
under unix, such scenario works without problems, because unix kernel
checks permissions when program tries to access AF_UNIX socket. For
AF_INET sockets, however, connections are anonymous (read
"insecure"). Imagine, that you have cygwin ssh-agent running.
malicious hacker may portscan your box, locate open port used by
ssh-agent, open connection to your ssh server, receive RSA challenge
from it, send it to your ssh-agent via open port he found, receive RSA
response, send it to ssh server and voila, he successfully logged in
to your server as you.
To Corinna: should cygwin's openssh port contain ssh-agent at all? or
perhaps it should issue some warning?
>> Does anyone know how to start the explorer.exe process from ssh-agent
when
>> you log into an NT/2000 system?
>>
>> I'm trying to do the same as "ssh-agent /etc/X11/xinit/xclients" to make
the
>> ssh agent available to all programs through the environment variables.
>>
>> >From within a cygwin bash shell I can do "exec ssh-agent bash" (followed
by
>> ssh-add) and have everything work from that shell, but of course the
>> variables don't exist in any other shells.
>>
>> It would seem like having ssh-agent launch explorer when you log in would
>> work, but I don't know what to tweak where in the registry.
Egor. mailto:deo@logos-m.ru ICQ 5165414 FidoNet 2:5020/496.19
--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple
--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple