Return of the 007 SSH Agent

Years ago when I first stared listening to podcasts when I had barely worked at PRWeb for a year even, I came up with a piece of shell script to automatically start up an ssh-agent and ask for your passphrase.

Unfortunately, the code created tons of ssh-agents, which was unfortunate.

Here is a version that behaves much better:

  1 #!/bin/bash
2 export SSH_RECENT="$HOME/.ssh/recent"
3 [ -f $SSH_RECENT ] && eval `cat $SSH_RECENT`
4 RUNNING_AGENTS=0
5 if [ ! -z "$SSH_AGENT_PID" ]
6 then
7 RUNNING_AGENTS=`ps -p $SSH_AGENT_PID | grep -v CMD | wc -l`
8 fi
9 if [ $RUNNING_AGENTS -lt 1 -a $UID -ne 0 ]
10 then
11 eval `ssh-agent`
12 echo "export SSH_AGENT_PID=$SSH_AGENT_PID" > $SSH_RECENT
13 echo "export SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> $SSH_RECENT
14 fi
15
16 [ `ssh-add -l | fgrep -v ' no ' | wc -l` -lt 1 ] && ssh-add

Can you tell me why I’m choosing to evaluate $UID for zero?

And, will this work if I switch from an Xterm to a virtual terminal?

Advertisements

on the usability of passphrases

Ok, finally had a moment to fully read the articlepassword usability and digest. My first thot is, there are some places this logic should not apply, like in situations where offline brute forcing is possible (like theft of password hashes), and not applicable to wifi routers, and cases where sites take only small (8-char) passwords. In these cases using a password manager like Lastpass is super efficient, it manages highly random passwords for you. The second thot I had was, is the authors presumption of attack criteria accurate enough? I battery of common phrases is as easy to use as a dictionary, and most people only know a few memorable phrases. The attack rate is also presumptuous, and the article mixes points of view with user suggestions and developer suggestions, thus an attack rate of 3000 attempts or better is easily possible againt a well provisioned but insecurely designed web site. Can you remember 15 different phrases if you have 15 different logins? We really should just be using password managers. And the last thot I had was: what does a security pro say on this? I tweeted @SGgrc and Steve Gibson of the Security Now podcast will cover this in an upcoming episode! (www.twit.tv/sn)