safesh is an authentication manager for OpenSSH. By automatically creating

keys and starting ssh-agents, it makes it (fairly) convenient to use one key
for each host pair (authenticator and authenticatee), it avoids
authentication theft by the hosts you connect to with SSH.

8 files changed, 464 insertions, 0 deletions

diff --git a/security/Makefile b/security/Makefile
index 79ad44a6f987..b3dae6e1799c 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -197,6 +197,7 @@
     SUBDIR += ruby-pam
     SUBDIR += ruby-tcpwrap
     SUBDIR += saferpay
+    SUBDIR += safesh
     SUBDIR += saint
     SUBDIR += scanssh
     SUBDIR += seahorse
diff --git a/security/safesh/Makefile b/security/safesh/Makefile
new file mode 100644
index 000000000000..d37fbc4aa05a
--- /dev/null
+++ b/security/safesh/Makefile
@@ -0,0 +1,33 @@
+# New ports collection makefile for:		safesh
+# Date created:					26 January 2002
+# Whom:						eivind
+#
+# $FreeBSD$
+#
+# This port is self contained in the src directory.
+#
+
+PORTNAME=	safesh
+PORTVERSION=	1.0
+CATEGORIES=	security
+MASTER_SITES=	# none
+DISTFILES=	# none
+
+MAINTAINER=	eivind@FreeBSD.org
+
+NO_BUILD=	yes
+NO_WRKSUBDIR=	yes
+
+SRC=		${.CURDIR}/src
+
+MAN1=		${PORTNAME}.1
+
+do-fetch:
+	@${DO_NADA}
+
+do-install:
+	@${INSTALL_SCRIPT} ${SRC}/${PORTNAME}.sh ${PREFIX}/bin/${PORTNAME}
+	@${INSTALL_SCRIPT} ${SRC}/cvs-safesh.sh ${PREFIX}/bin/cvs-safesh
+	@${INSTALL_MAN} ${SRC}/${PORTNAME}.1 ${PREFIX}/man/man1
+
+.include <bsd.port.mk>
diff --git a/security/safesh/pkg-comment b/security/safesh/pkg-comment
new file mode 100644
index 000000000000..5ed9a85de926
--- /dev/null
+++ b/security/safesh/pkg-comment
@@ -0,0 +1 @@
+Authentication manager for OpenSSH (making secure auth easier)
diff --git a/security/safesh/pkg-descr b/security/safesh/pkg-descr
new file mode 100644
index 000000000000..ad0c138100ff
--- /dev/null
+++ b/security/safesh/pkg-descr
@@ -0,0 +1,4 @@
+safesh is an authentication manager for OpenSSH.  By automatically creating
+keys and starting ssh-agents, it makes it (fairly) convenient to use one key
+for each host pair (authenticator and authenticatee), it avoids the use of
+authentication theft with SSH.
diff --git a/security/safesh/pkg-plist b/security/safesh/pkg-plist
new file mode 100644
index 000000000000..2e7225e6d2cb
--- /dev/null
+++ b/security/safesh/pkg-plist
@@ -0,0 +1,2 @@
+bin/safesh
+bin/cvs-safesh
diff --git a/security/safesh/src/cvs-safesh.sh b/security/safesh/src/cvs-safesh.sh
new file mode 100644
index 000000000000..16ccfa71032a
--- /dev/null
+++ b/security/safesh/src/cvs-safesh.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec safesh $1 -- "$@"
diff --git a/security/safesh/src/safesh.1 b/security/safesh/src/safesh.1
new file mode 100644
index 000000000000..d9f3fcff059a
--- /dev/null
+++ b/security/safesh/src/safesh.1
@@ -0,0 +1,327 @@
+.\"-
+.\" Copyright (c) 2002 Eivind Eklund
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer
+.\"    in this position and unchanged.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\"    derived from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\"	$FreeBSD$
+.\"
+.Dd January 26, 2002
+.Dt SAFESH 1
+.Sh NAME
+.Nm safesh
+.Nd safe key manager for OpenSSH
+.Sh SYNOPSIS
+.Nm 
+.Op Ar host
+.Op Ar -- ssh-parameters ...
+.Sh DESCRIPTION
+.Nm
+automatically creates one DSA key (called an identity) for each host you
+connect to, and store this in a separate agent for each host.
+It is also capable of adding keys for other hosts to this agent, so you can
+use it for restricted forwarded of authentication.
+Because each host use its own
+.Xr ssh-agent 1 ,
+the hosts you forward authentication to can only get at the authentication for
+the hosts you specifically say it should be able to get at.
+
+When run,
+.Nm
+.Bl -enum
+.It
+Normalizes the hostname you are talking about, using the $HOME/.safesh/map file.
+.It
+Checks if the host has an ssh dsa key in $HOME/.safesh, and creates one using 
+.Xr ssh-keygen 1
+if it does not.
+The DSA key is stored in $HOME/.safesh/$HOST/dsa_id.
+You will be asked for a passphrase when the key is created.
+Note that if you use the same passphrase for all
+.Nm
+keys, you will only be asked for the passphrase once per host you connect to.
+If you use different passphrases, you will be asked once per forwarded key
+for each host you connect to (after a machine startup.)
+.It
+Checks if you have the
+.Xr ssh-agent 1
+for this host running, and starts it if not.
+.It
+Checks what keys you are supposed to have active when connecting to this host
+(the key for the host and any keys listed in $HOME/.safesh/$HOST/extra_keys),
+and which of these are missing from the active agent.
+.It
+If any identities were missing from the agent, it executes
+.Xr ssh-add 1
+to add them to the agent.
+.It
+Executes
+.Xr ssh 1
+with either $HOST or the extra command line supplied by the user.
+.El
+
+.Sh BASIC CONCEPT DESCRIPTION
+.Nm
+is an authentication manager for OpenSSH.
+It is an attempt at making it easy to use the built-in authentication features
+of OpenSSH securely.
+By default, the SSH security model is that all hosts the
+user connect to are trusted, and are given complete access - including the
+ability to authenticate as the user towards other hosts if the user is running
+.Xr ssh-agent 1 .
+OpenSSH has improved this security model somewhat by not forwarding ssh
+authentication by default, but still allows the host that you connect to
+to grab your credentials and authenticate as you to anybody else when you
+do authentication forwarding to it.
+
+
+.Sh NAME REPLACEMENT
+.Bl -tag -width "$HOME/.safesh" -compact
+.It Pa $HOME
+is replaced with the path your home directory,
+$HOST is replaced with the name of the host you are
+.Xr ssh 1 ing
+to,
+.It Pa $HOST
+is replaced with the name of the host you are running
+.Nm
+towards.
+This is the machine you are
+.Xr ssh 1 ing
+into.
+.It Pa $YOURHOST
+is replaced with the name of the host you are running
+.Nm
+on, as output by
+.Xr hostname 1 .
+This is the name of the machine you are
+.Xr ssh 1 ing
+from.
+The use of $YOURHOST makes
+.Nm
+safe to use with NFS-mounted home directories.
+.It Pa $AUTHTARGET
+is replaced with the authentication target for an authentication forwarding.
+This is
+.Pa not
+the same as $HOST.
+$AUTHTARGET is a machine you are
+.Xr ssh 1 ing
+to
+.Pa from
+$HOST.
+.El
+
+.Sh FILES
+.Bl -tag -width "$HOME/.safesh" -compact
+.It Pa $HOME/.safesh/
+Directory containing information for
+.Nm .
+
+.It Pa $HOME/.safesh/map
+Mapping file for
+.Nm ,
+describing how to map names to their canonical form.
+This is usually used to map short names to their long form.
+The format of the file is one mapping per line, what it is mapped from as the
+first word, what it is mapped to as the second.
+
+It is also possible to use this to map DNS names to their safe form by having
+the name of the host as the first parameter, and the name of the host with a
+period (.) at the end as the second parameter.
+E.g, "freefall.freebsd.org freefall.freebsd.org."
+
+.It Pa $HOME/.safesh/$HOST/
+Directory with data for a particular hostname.
+Automatically generated on first connect to a host with
+.Nm .
+
+.It Pa $HOME/.safesh/$HOST/dsa_id
+Private key for use against $HOST.
+Automatically generated on first connect to a host with
+.Nm .
+
+.It Pa $HOME/.safesh/$HOST/dsa_id.pub
+Public key for use by $HOST.
+To connect to $HOST using 
+.Nm
+without giving a password, add the contents of this file
+to the end of $HOME/.ssh/authorized_keys2.
+Automatically generated on first connect to a host with
+.Nm .
+
+.It Pa $HOME/.safesh/$HOST/$AUTHTARGET
+Private key for use when $HOST authenticates towards $AUTHTARGET.
+This is used in preference to $HOME/.safesh/$AUTHTARGET/dsa_id for authentication
+forwarding through $HOST to $AUTHTARGET.
+The file is only used if $AUTHTARGET is listed in $HOME/.safesh/$HOST/extra_keys.
+This file is not generated automatically by
+.Nm .
+It is only present if you have generated it using
+.Xr ssh-keygen 1 .
+Note that it is usually more than useless (can pose a security risk) to copy a
+key used for other authentication to this location.
+
+The use of explict authentication files for authentication forwarding is
+primarily for protection against the case where the machine you run
+.Nm
+on is compromised.
+Using this file, you can use a separate passphrase from the one used for the
+key for connecting directly to $AUTHTARGET; that key need not even exist.
+By using IP restrictions in the authorized_keys file for the key, you can make
+sure that the host
+.Nm
+runs on cannot connect to $AUTHTARGET using the authentication forwarding
+key.
+The use of a separate forwarding key can also be used in combination with a
+modified SSH to log which key was used where, and thus track key propagation.
+
+.It Pa $HOME/.safesh/$HOST/$AUTHTARGET.pub
+Public key corresponding to the private key described above.
+
+.It Pa $HOME/.safesh/$HOST/extra_keys
+List of extra keys to make available for this host.
+Each line in the file is first attempted matched against the host database in
+$HOME/.safesh/.
+If a key exists here, 
+.Nm
+attempts to add that.
+Otherwise, it first tries to look for a file of this name relative to /, then
+relative to $HOME.
+If it does not find either of these,
+.Nm
+will exit with an error message.
+If it finds one, it will add it.
+
+.It Pa $HOME/.safesh/$HOST/activeagent-$YOURHOST.sh
+Bourne shell (see
+.Xr sh 1 ,
+.Xr bash 1 ,
+.Xr zsh 1 )
+script for setting up the environment variables for the particular ssh-agent used for this host.
+Only valid if
+.Nm
+has been run against that host as this user since the machine 
+.Nm
+runs on was last booted.
+Note that this file most be source'd, not just run as a shell script.
+
+.It Pa $HOME/.safesh/$HOST/activeagent-$YOURHOST.csh
+CSH (see
+.Xr csh 1 ,
+.Xr tcsh 1 )
+script for setting up the environment variables for the particular ssh-agent used for this host.
+Only valid if
+.Nm
+has been run against that host as this user since the machine 
+.Nm
+runs on was last booted.
+Note that this file most be source'd, not just run as a shell script.
+.El
+
+.Sh AUTHORS
+.Nm
+was written by
+.An Eivind Eklund Aq eivind@FreeBSD.org .
+.Sh SEE ALSO
+.Xr ssh 1 ,
+.Xr ssh-add 1 ,
+.Xr ssh-agent 1 ,
+.Xr ssh-keygen 1 .
+.Sh MISSING FEATURES
+The present version of
+.Nm
+does to the best of the author's knowledge work correctly in what it does.
+However, there are a number of features that would make it easier to securely handle
+ssh authentication.
+
+.Bl -tag -width "mmmm" -compact
+.It Pa Two-step secure SSH with an untrusted host in the middle
+It is possible to use the port forwarding capability of ssh to forward
+authentication through another server - without allowing the other server to
+indepently authenticate to a third party, and without allowing it to see
+what is going on in your connection.
+This is based on just forwarding a tunnel through the untrusted host, and
+doing direct authentication to the server on the other side.
+With the present version of OpenSSH, this has the problem of leaving the
+actual port forwarding open while the tunnel is open - allowing other users to
+set up their own tunnels, and weakening another side of the security model.
+
+.It Pa Read out fingerprints
+.Nm
+should make it trivial to retrieve the fingerprint for
+.Bl -enum
+.It
+The host it is running on.
+This must presently done with "ssh-keygen -l /etc/ssh/ssh_host_key.pub" (to get
+the fingerprint for SSH 1) and "ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key"
+(for SSH 2).
+.It 
+Other hosts, as registered in the known_host file on the host it is running
+on.
+This must presently be done by manual inspection.
+.El
+
+.It Pa Merge known_hosts
+.Nm
+should make it trivial to merge known_hosts and known_hosts2 with ones from
+another host, including retrieving and uploading known_hosts as appropriate.
+
+.It Pa Manage .ssh/authorized_keys2
+.Nm
+should be able to automatically add/remove keys from the authorized_keys2 file
+on other machines, to make the entire
+.Nm
+process self-contained.
+
+.It Pa Manage setup of key limitations
+When managing authorized_keys2, it is also reasonable to manage key limitation
+in this.
+IP restrictions ("from=") should be handled to make it easy to create setups
+where the local machine do not have direct access to a target.
+Command restrictions etc would be good to have just for completeness.
+
+.It Pa Emulate the entire ssh syntax
+Presently, the
+.Nm
+command has a fairly weird syntax.
+This is because it is a fairly quick hack, just made to be usable.
+Later, it would be nice to rewrite it to be fully compatible with
+.Xr ssh 1 .
+This would allow use as a drop-in replacement.
+
+.It Pa Description of the trust/threath/security model
+It would be nice to have a complete description of the normal SSH threath model
+as well as the
+.Nm
+threath model, in order to make people fully conscious of their own model.
+
+.It Pa Emulate scp
+.Xr scp 1
+is a very useful command.
+Unfortunately, it is almost unusable along with safesh, unless you use the
+activeagent files (preferably along with running all of this in a subshell, so
+you do not get extra authentication keys when you are not planning to.)
+
+.El
diff --git a/security/safesh/src/safesh.sh b/security/safesh/src/safesh.sh
new file mode 100644
index 000000000000..d1a74a8e7a1c
--- /dev/null
+++ b/security/safesh/src/safesh.sh
@@ -0,0 +1,94 @@
+#!/bin/sh
+
+HOST=$1
+AKEYS=${HOME}/.safesh/
+
+# MY eXit
+myx() {
+	echo $1 1>&2
+	exit 1
+}
+
+# Normalize host name if necessary
+normalizehost() {
+	cat ${AKEYS}/map 2> /dev/null | awk "(\$1 == \"$1\" && !gotit) {gotit = 1; print tolower(\$2)} END {if(!gotit) {print tolower(\"$1\")}}"
+}
+
+HOST=`normalizehost $HOST`
+
+#
+# Check that the user are using the right parameters
+#
+# XXX This should check for --, but it is unclear how to do that.
+#
+if ! shift; then
+	myx "Usage: $0 <hostname> [-- <ssh parameters>]"
+fi
+
+#
+# Lose the -- from the parameters - it is there for future extensibility
+# using getopt()
+#
+shift 2> /dev/null;
+
+if [ ! -d $AKEYS/$HOST ]; then
+	mkdir -p $AKEYS/$HOST || myx "Unable to create $AKEYS/$HOST"
+fi
+
+if [ ! -e $AKEYS/$HOST/id_dsa ]; then
+	ssh-keygen -t dsa -f $AKEYS/$HOST/id_dsa || myx "Unable to create $AKEYS/$HOST/id_dsa"
+fi
+
+# We now have a key in $AKEYS/$HOST/id_dsa
+
+ACTIVEAGENT=$AKEYS/$HOST/activeagent-`hostname`
+if [ -e $ACTIVEAGENT.sh ]; then
+	. $ACTIVEAGENT.sh || myx "Unable to read $ACTIVEAGENT.sh"
+fi
+
+if ! ssh-add -l > /dev/null 2>& 1; then
+	ssh-agent -s > $ACTIVEAGENT.tmp || myx "Unable to start ssh-agent"
+	sed '/^echo/d' < $ACTIVEAGENT.tmp > $ACTIVEAGENT.sh
+	rm -f $ACTIVEAGENT.tmp
+	. $ACTIVEAGENT.sh || myx "Unable to read $ACTIVEAGENT.sh after creating it"
+	(echo setenv SSH_AUTH_SOCK $SSH_AUTH_SOCK\;
+	echo setenv SSH_AGENT_PID $SSH_AGENT_PID\;) > $ACTIVEAGENT.csh
+	#echo "Started agent with PID $SSH_AGENT_PID, socket $SSH_AUTH_SOCK" 1>&2
+fi
+
+# We now have a live agent, possibly without any keys in it
+
+
+for i in $HOST $(cat ${AKEYS}/$HOST/extra_keys 2> /dev/null); do
+	tmp=`normalizehost $i`
+	if [ -f $AKEYS/$HOST/$tmp ]; then
+		IDENTITY=$AKEYS/$HOST/$tmp
+	elif [ -d $AKEYS/$tmp/ ]; then
+		if ! [ -f $AKEYS/$tmp/id_dsa -a -r $AKEYS/$tmp/id_dsa ]; then
+			myx "Missing key for $tmp"
+		fi
+		IDENTITY=$AKEYS/$tmp/id_dsa
+	elif [ -f "/$i" ]; then
+		IDENTITY="/$i"
+	elif [ -f "$HOME/$i" ]; then
+		IDENTITY="$HOME/$i"
+	else
+		myx "Unable to find key for \"$i\""
+	fi
+	# Only add it to the list if it isn't already in the agent.  This is a
+	# workaround for a bug in ssh-add, which asks for the password FIRST,
+	# and checks for the existence of the the key in the agent AFTERWARDS
+	if [ "`(ssh-add -l && ssh-keygen -l -f "$IDENTITY") | awk '{print $1, $2}' | sort | uniq -d)`" = "" ]; then
+		KEYLIST="$KEYLIST $IDENTITY"
+	fi
+done
+
+if [ "${KEYLIST}" != "" ]; then
+	ssh-add $KEYLIST
+fi
+
+if [ "$1" = "" ]; then
+	exec ssh $HOST
+else
+	exec ssh "$@"
+fi