[H-GEN] Desktop wars ..... (no not really)

Christopher Biggs listjunkie at pobox.com
Thu Jun 26 07:51:56 EDT 2003


[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

"Three Blokes" <gerbil at bigpond.net.au> moved upon the face of the 'Net and spake thusly:

> From: "Robert Brockway" <robert at timetraveller.org>
>
>> # Allow ssh-agent to kick off the window manager ($MANAGER)
>> ssh-agent bash -c "ssh-add < /dev/null && $MANAGER"
>
> Please excuse me if there is a really obvious answer to this question, but
> can I ask why you use ssh-agent to start your wm?, is this so you can do
> x-sessions over ssh(something I would be interested in).

If I may jump in (since I hope for Robert's sake that he's sound
asleep just now), I happen to use a similar scheme myself.  What's
actually happening here is not that "ssh-agent is starting the
windowmanager", but that "the window manager is only started if the
'ssh-add' invocation succeeds".

The ssh-add progam prompts the (the redirection of standard-input
to come from /dev/null will ensure that 'ssh-add' uses an X-window
prompt rather than a terminal-input prompt) for the user's
pass-phrase, then decrypts the user's SSH secret key and passes it to
the already running ssh-agent process for storage.

If all this succeeds (i.e. the user types the correct passphrase), the
window manager is started and the X-window session continues interactively.

If the ssh-add invocation fails (because the wrong passphrase is
entered too many times, or because the prompt window's 'cancel' button
is clicked), then no window manager is started and the login session
thus terminates immediately.

Therefore to get a login on Robert's system, you need not only to
correctly enter his username and password, but to correctly enter his
SSH passphrase.  This arrangement also has the not inconsequential
side effect of priming the SSH agent to deliver that passphrase to SSH
instances when required, providing a "single sign-on" environment).

If the user then types, say "ssh someothermachine.some.domain", they
will get an SSH connection without having to re-type their SSH
passphrase (assuming they have a valid account on the destination).

On /my/ system I also have configured the screen-saver/locker daemon
erase the stored passphrase, should I be idle for longer than 10
minutes.  I can also press the "sleep" key on my keyboard to wipe my
stored passphrase (and also lock the console) immediately.    

The truly paranoid store their SSH keys on hot-plug removeable
media such as smart-cards or USB-flash dongles.

--cjb

-- 
------------------------------------------------------------------------
--- Christopher Biggs -- Unix Bigot For Hire -- unixbigot at pobox.com  ---
The IEEE has monitored this electronic mail message, and asserts that no
energy was created or destroyed during its construction or transmission.
------------------------------------------------------------------------


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/



More information about the General mailing list