Saturday 28 October 2017

git - Cache the password if SSH-keys are forbidden


I have a server which I have to access frequently via ssh, because I compute on it. Now, the computing center explicitly forbids SSH-keys because they are "insecure". They feel that typing my password, on a keyboard, everytime, possible in front of other humans, is a much safer way to login.


Now; I cannot change their minds (I tried).


Is there a way to at least temporarily store SSH passwords, the way GIT can store passwords in a cache for some defined time?



Answer



Connection reuse


SSHv2 allows the same authenticated connection to establish multiple 'channels' – interactive shell, batch command, SFTP, along with the secondary ones such as agent-forwarding or TCP-forwarding. Your server probably supports connection multiplexing by default. (If your admins complain, it's not caching your password anywhere – it's caching the whole connection.)


With OpenSSH you have ControlMaster and ControlPath options (-M and -S) to make use of this:




  1. Start a 'master' SSH connection using -M. (Since you don't have a ControlPath in your config yet, you need to specify it in command line using -S. It needs to live long, so I add the -fN options to drop to background; they're technically optional otherwise.)


    $ ssh foo@bar.example.com -fNMS ~/.ssh/bar.socket
    foo@bar.example.com's password:

    You're back to the local shell.




  2. Start a new connection through the master:


    $ ssh foo@bar.example.com -S ~/.ssh/bar.socket

    You're in.




  3. To make this useful for Git/rsync/SFTP, you need to set up ControlPath in your configuration, because you won't be able to specify -S all the time:


    Host *
        ControlPath ~/.ssh/S.%r@%h:%p


You can automate this – recent OpenSSH versions also have ControlPersist which automatically establishes a master connection in background if there isn't one yet. This allows you to skip step 1 and just use ssh as you normally would.




  1. Configuration in ~/.ssh/config:


    Host *
        ControlPath ~/.ssh/S.%r@%h:%p
        ControlMaster auto
        ControlPersist 15m


  2. First connection asks for password:


    $ ssh foo@bar.example.com
    foo@bar.example.com's password:
    [foo@bar:~]$ exit


  3. The second doesn't:


    $ ssh foo@bar.example.com
    [foo@bar:~]$ yay


To control the multiplex master (stop it or configure TCP forwardings), use the -O option.


A similar method is supported by recent PuTTY versions.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Where does Skype save my contact's avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...