-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
[Please preserve the CC to 160588-forwarded@bugs.debian.org, this archives messages in the Debian BTS]
Hi lsh-dev's ...
I just recieved this "feature request" bug ...
- ---------- Forwarded Message ----------
Subject: Bug#160588: lsh-utils:~/.lsh/authorized keys sha1/* not human-readable (so no comments) Date: Wed, 11 Sep 2002 18:00:30 -0400 From: "David B Harris" eelf@sympatico.ca To: "Debian Bug Tracking System" submit@bugs.debian.org
Package: lsh-utils Version: 1.4.2-1 Severity: minor
Hey there :)
I installed lsh-utils to see how the project is coming along (quite well, actually; I may run it as my sshd(8) when X11 forwarding is available on the serverside, to help test things).
Aaanyways, I do have one fairly serious problem (despite the severity of this bug report ;). The files in ~/.lsh/authorized_keys_sha1/ aren't human-readable, and lsh-authorize doesn't store key comments anywhere else. This might actually be a security concern; if I can't figure out which key to delete now that a host I connect from is decommissioned, I'll leave it there.
So, I guess this feature request is just for (yet another) lsh- util that'll read the comment stored in the non-human-readable file. Dunno if one's stored right now, but it's probably worth doing ;)
The option is to have lsh-authorize keep its own little listing in ~/.lsh/ somewhere. That's allright too.
- -- System Information: Debian Release: testing/unstable Architecture: i386 Kernel: Linux willow 2.4.19-xfs-a2 #1 Sat Aug 31 12:46:32 EDT 2002 i686 Locale: LANG=en_CA, LC_CTYPE=en_CA
Versions of packages lsh-utils depends on: ii libc6 2.2.5-14.1 GNU C Library: Shared libraries an ii libgmp3 4.0.1-3 Multiprecision arithmetic library ii libncurses5 5.2.20020112a-8 Shared libraries for terminal hand ii liboop3 0.8-2 Event loop management library di libpam0g 0.72-35 Pluggable Authentication Modules l ii libreadline4 4.3-4 GNU readline and history libraries ii libwrap0 7.6-ipv6.1-3 Wietse Venema's TCP wrappers libra ii zlib1g 1:1.1.4-3 compression library - runtime
- -- no debconf information
- -------------------------------------------------------
- -- Timshel Knoll timshel@pobox.com, Debian email: timshel@debian.org Debian GNU/Linux developer: http://people.debian.org/~timshel/ GnuPG public key: finger timshel@debian.org
Aaanyways, I do have one fairly serious problem (despite the severity of this bug report ;). The files in ~/.lsh/authorized_keys_sha1/ aren't human-readable, and lsh-authorize doesn't store key comments anywhere else. This might actually be a security concern; if I can't figure out which key to delete now that a host I connect from is decommissioned, I'll leave it there.
Hrrm, if you at least know your key, you can try something like this to find out which key file authorizes it.
--CUT-- #! /bin/sh
usage () { echo Usage: $0 }
while [ $# != 0 ]; do case $1 in -help | --help | --hel | --he) usage exit 0 ;; --*) echo Unknown option $1 usage exit 1 ;; *) break ;; esac
options="$options $1" shift done
if [ $# != 0 ] ; then usage exit 0 fi
: ${SEXP_CONV:=sexp-conv} : ${LSH_EXPORT_KEY:=lsh-export-key}
if type "$SEXP_CONV" >/dev/null 2>&1 ; then : ; else echo "Can't find the sexp-conv program" exit 1 fi
if type "$LSH_EXPORT_KEY" >/dev/null 2>&1 ; then : ; else echo "Can't find the lsh-export-key program" exit 1 fi
if [ -d $HOME/.lsh/authorized_keys_sha1 ] ; then echo "Authorized keys:" for key in $HOME/.lsh/authorized_keys_sha1/*; do echo echo Key file $key echo echo lsh format "$SEXP_CONV" -i canonical -f transport < $key echo echo "OpenSSH format (base64-encoded, ignore linebreaks and spaces)" echo "$LSH_EXPORT_KEY" -i canonical < $key echo done else echo "No authorized keys" fi --CUT--
So, I guess this feature request is just for (yet another) lsh- util that'll read the comment stored in the non-human-readable file. Dunno if one's stored right now, but it's probably worth doing ;)
The above utility should help you a little bit, although it is probably a good idea to allow lsh-authorize to take a comment and store it when you authorize a key.
/Pontus
Timshel Knoll timshel@debian.org writes:
Aaanyways, I do have one fairly serious problem (despite the severity of this bug report ;). The files in ~/.lsh/authorized_keys_sha1/ aren't human-readable, and lsh-authorize doesn't store key comments anywhere else. This might actually be a security concern; if I can't figure out which key to delete now that a host I connect from is decommissioned, I'll leave it there.
So, I guess this feature request is just for (yet another) lsh- util that'll read the comment stored in the non-human-readable file. Dunno if one's stored right now, but it's probably worth doing ;)
One can read the files by piping them through the sexp-conv program (they just contain the public key in sexp format), but there are usually no labels inside.
Somethings one could add to lsh-authorize is
(i) an option that inserts a label (probably a ;-comment) in the file. Actually, the authorized keys mechanism is a hack (even if I think it's quite a robust hack), and the contents of the file isn't used at all, and
(ii) an option that unauthorizes a key, by deleting the corresponding file.
Regards, /Niels