Run a python script for entering RSA passphrases for Unix systems

I would like to know if is there a way to put a new "Layer" when the SO(preferentially a Ubuntu or a Mac OS X) asks for the passphrase of a rsa key.

How it normally does:

Use ssh;

prompt the window to enter the passphase;

enter the passphrase and hit enter;

How I would like to be:

Use ssh;

run in the background a python script that send the password for the rsa key

I would like that this could be done in any Unix system?

If possible, is it easy to configure this? Like, edit some lines in a configuration file or so?

Thanks

Arruda

Posted 2013-02-14T01:29:58.837

Reputation: 101

1What do you mean by an SO? – cpast – 2013-02-14T01:48:57.400

ups, sorry, I misspelled it: OS(Operating System) – Arruda – 2013-02-14T04:11:24.100

Answers

Doing this entirely defeats the purpose of a passphrase. The reason you use a passphrase for ssh keys is so that someone who compromises your computer and steals your private key can't decrypt and use it. If a script supplies the passphrase, you need to store it in plaintext on your hard drive, and that means that an attacker can easily recover it and compromise your key.

If you want to just enter a passphrase once per session (so you'd enter it when you first ssh and then not have to enter it again), look into ssh agents. On some systems, you can even make your password the passphrase, so it unlocks when you log in. However, writing a script to auto-enter the passphrase means you'd be better off just removing the passphrase entirely.

cpast

Posted 2013-02-14T01:29:58.837

Reputation: 2 279

It's because I intend to do a python script that will check a usb file encripted with the passsword and that can only be decripted with another file from my pc. – Arruda – 2013-02-14T02:12:01.013

You're still protecting your identity with an unencrypted file (the last file you mentioned). You're still defeating the point of a passphrase - an attacker who compromises the system when the flash drive is plugged in gets your key. Why not use agents properly and only enter the passphrase once? You can even set it so its passphrase is your password, and it unlocks at login. – cpast – 2013-02-14T02:22:35.047

Also, rolling your own security stuff can end badly. – cpast – 2013-02-14T02:23:38.820

I know that this last file ins unencrypted, but it only has the key to the key(usb). I can say that the idea is to have a easy way to dont use the passphrase(using a USB, a physical key) instead of using the agents to enter the passphrase once. And also this would help me to learn more about this stuff =) (thanks for the security warning) – Arruda – 2013-02-14T03:01:27.610

Have a look at gpg-preset-passphrase. Perhaps that's what you need. Or you talk directly to gpg-agent via the Assuan protocol.

Hauke Laging

Posted 2013-02-14T01:29:58.837

Reputation: 275

I looked at the gpg-preset-passphrase, but couldn't find it in the gnuPG package for ubuntu. In it really in this package? I can't say for sure this is really the answer I'm looking for, but for what I was reading it looks like so. =) thanks – Arruda – 2013-02-16T21:17:00.193

@Arruda It's part of the openSUSE gpg2 package (there /usr/lib64/gpg-preset-passphrase, not in $PATH though!). – Hauke Laging – 2013-02-17T01:08:36.393