Upgrade to V1.4.

This includes a series of usability fixes, including making safesh easy to
use with CVS, with scp, and to make installation on other hosts trivial.

2 files changed, 192 insertions, 116 deletions

diff --git a/security/safesh/src/safesh.1 b/security/safesh/src/safesh.1
index f3ad4785d44c..1ba321d6c157 100644
--- a/security/safesh/src/safesh.1
+++ b/security/safesh/src/safesh.1
@@ -34,9 +34,33 @@
 .Nd safe key manager for OpenSSH
 .Sh SYNOPSIS
 .Nm 
-.Op Ar host
-.Op Ar -- ssh-parameters ...
+.Sm off
+.Op Ar user@
+.Ar host
+.Sm on
+.Op Ar "-- ssh-parameters ..."
+.Nm safeshinstall
+.Sm off
+.Op Ar user@
+.Ar host
+.Sm on
+.Nm cvs-safesh
+.Sm off
+.Op Ar user@
+.Ar host
+.Sm on
+.Op Ar command
+.Nm scpsh
+.Sm off
+.Op Ar user@
+.Ar host
+.Sm on
 .Sh DESCRIPTION
+NOTE: This text often refers to $VARIABLE in description.
+What each of the references will be replaced with when
+.Nm
+runs is described at the end of the manpage.
+.Pp
 .Nm
 automatically creates one DSA key (called an identity) for each host you
 connect to, and store this in a separate agent for each host.
@@ -46,7 +70,7 @@ Because each host use its own
 .Xr ssh-agent 1 ,
 the hosts you forward authentication to can only get at the authentication for
 the hosts you specifically say it should be able to get at.
-
+.Pp
 When run,
 .Nm
 .Bl -enum
@@ -80,7 +104,6 @@ Executes
 .Xr ssh 1
 with either $USER@$HOST or the extra command line supplied by the user.
 .El
-
 .Sh BASIC CONCEPT DESCRIPTION
 .Nm
 is an authentication manager for OpenSSH.
@@ -94,98 +117,87 @@ OpenSSH has improved this security model somewhat by not forwarding ssh
 authentication by default, but still allows the host that you connect to
 to grab your credentials and authenticate as you to anybody else when you
 do authentication forwarding to it.
-
 .Sh SIMPLE HOWTO
 Starting to make use of
 .Nm
 is trivial:
 .Bl -enum
 .It
-Do "safesh <hostname>".
-This will ask you for a passphrase (three times), and create a directory
-$HOME/.safesh/<yourusername>@<hostname>-22, which contains authentication
-data for your user at <hostname>.
-.It
-Add the contents of $HOME/.safesh/<yourusername>@<hostname>-22/id_dsa.pub to
-$HOME/.ssh/authorized_keys2 on the host you
-.Nm
-*to*.
+Do 
+.Dl % safeshinstall <[user@]hostname>
+This will ask for a passphrase (three times), create a directory
+$HOME/.safesh/<user>@<hostname>-22, which contains authentication
+data for your user at <hostname>, and add the contents of
+$HOME/.safesh/<user>@<hostname>-22/id_dsa.pub to
+$HOME/.ssh/authorized_keys2 on the host you connect to.
+The latter will result in
+.Xr ssh 1
+asking for authentication in the fashion you already use (most likely by
+asking for your password.)
 .It
-Log in with "safesh <hostname>" from now on.
+Log in with 
+.Li "safesh <hostname>"
+from now on.
 This will ask you for a passphrase if you have not logged into that host this
 session, and otherwise just let right in.
 .El
-
-To give an example, let us say I (eivind@FreeBSD.org) want to set up this up
-for use with the main FreeBSD development server, freefall.freebsd.org, from
-the account "eivind" on my workstation:
-.Bl -enum
-.It
-eivind(ws)--% safesh freefall.freebsd.org
-
-<answer passphrase three times, then break off password prompt>
-.It
-eivind(ws)--% cat ~/.safesh/eivind@freefall.freebsd.org-22/id_dsa.pub | safesh freefall.freebsd.org -- freefall.freebsd.org 'mkdir -p .ssh && cat >> ~/.ssh/authorized_keys2'
-
-Answer password prompt with the password used on freefall.
-The command above updates authorized_keys2 file with the key we just
-generated.
-From now on, it is possible to connect to freefall with just
-"safesh freefall.freebsd.org"
-.El
-
-.Sh NAME REPLACEMENT
-.Bl -tag -width "$HOME/.safesh" -compact
-.It Pa $HOME
-is replaced with the path your home directory,
-.It Pa $HOST
-is replaced with the name of the host you are running
+.Sh UTILITY COMMANDS
 .Nm
-towards.
-This is the machine you are
-.Xr ssh 1 ing
-into.
-.It Pa $YOURHOST
-is replaced with the name of the host you are running
-.Nm
-on, as output by
-.Xr hostname 1 .
-This is the name of the machine you are
-.Xr ssh 1 ing
-from.
-The use of $YOURHOST makes
+ships with two utility hacks to work around the fact that it is not a complete
+.Xr ssh 1
+replacement,
+.Nm scpsh
+and
+.Nm cvs-safesh .
+.Pp
+.Nm scpsh
+is for supporting use of
+.Xr scp 1
+with
+.Nm .
+.Nm scpsh
+.Sm off
+.Op Ar user@
+.Ar host
+.Sm on
+will start a new interactive shell (using the
+.Ev SHELL
+environment variable to determine which it should be), with the environment
+variables for using
+.Xr ssh-agent 1
+to authenticate to [user@]host already set.
+This allows use of 
+.Xr scp 1
+without having to type passwords to authenticate.
+.Pp
+.Nm cvs-safesh
+makes it easy to use
 .Nm
-safe to use with NFS-mounted home directories.
-.It Pa $AUTHTARGET
-is replaced with the authentication target for an authentication forwarding.
-This is
-.Pa not
-the same as $HOST.
-$AUTHTARGET is a machine you are
-.Xr ssh 1 ing
+along with
+.Xr cvs 1
+and other programs that use
+.Xr rsh 1
+or
+.Xr ssh 1
+with the format 
+.Qq Li "ssh <user@host> <command>"
+or 
+.Qq Li "ssh <host> <command>" .
+To use with
+.Xr cvs 1 ,
+just set
+.Ev CVS_RSH
 to
-.Pa from
-$HOST.
-The format of $AUTHTARGET is <user>@<somehost>-<someport>, where <user>
-defaults to the username you run
-.Nm
-as, and <someport> default to 22 (and it is not possible to set anything
-else at this time.)
-.It Pa $USER
-is replaced with The username used on $HOST; defaults to the same as the
-username you have on $YOURHOST, but will be different if you do safesh
-user@host instead of just safesh host.
-.It Pa $PORT
-The port used on $HOST.
-Presently always 22.
-.El
-
+.Qq Li cvs-safesh
+instead of
+.Qq Li ssh .
+.Pp
 .Sh FILES
 .Bl -tag -width "$HOME/.safesh" -compact
 .It Pa $HOME/.safesh/
 Directory containing information for
 .Nm .
-
+.Pp
 .It Pa $HOME/.safesh/map
 Mapping file for
 .Nm ,
@@ -193,22 +205,22 @@ describing how to map host names to their canonical form.
 This is usually used to map short names to their long form.
 The format of the file is one mapping per line, what it is mapped from as the
 first word, what it is mapped to as the second.
-
+.Pp
 It is also possible to use this to map DNS names to their safe form by having
 the name of the host as the first parameter, and the name of the host with a
 period (.) at the end as the second parameter.
 E.g, "freefall.freebsd.org freefall.freebsd.org."
-
+.Pp
 .It Pa $HOME/.safesh/$USER@$HOST-$PORT/
 Directory with data for a particular hostname.
 Automatically generated on first connect to a host with
 .Nm .
-
+.Pp
 .It Pa $HOME/.safesh/$USER@$HOST-$PORT/dsa_id
 Private key for use to authenticate as $USER@$HOST.
 Automatically generated on first connect to a host with
 .Nm .
-
+.Pp
 .It Pa $HOME/.safesh/$USER@$HOST-$PORT/dsa_id.pub
 Public key for use by $HOST to authenticate $USER.
 To connect to $HOST as $USER using 
@@ -217,19 +229,19 @@ without giving a password, add the contents of this file
 to the end of $HOME/.ssh/authorized_keys2.
 Automatically generated on first connect to a host with
 .Nm .
-
+.Pp
 .It Pa $HOME/.safesh/$USER@$HOST-$PORT/$AUTHTARGET
 Private key for use when $HOST authenticates towards $AUTHTARGET.
 This is used in preference to $HOME/.safesh/$AUTHTARGET/dsa_id for authentication
 forwarding through $HOST to $AUTHTARGET.
-The file is only used if $AUTHTARGET is listed in $HOME/.safesh/$HOST/extra_keys.
+The file is only used if $AUTHTARGET is listed in $HOME/.safesh/$USER@$HOST-$PORT/extra_keys.
 This file is not generated automatically by
 .Nm .
 It is only present if you have generated it using
 .Xr ssh-keygen 1 .
 Note that it is usually more than useless (can pose a security risk) to copy a
 key used for other authentication to this location.
-
+.Pp
 The use of explict authentication files for authentication forwarding is
 primarily for protection against the case where the machine you run
 .Nm
@@ -243,11 +255,11 @@ runs on cannot connect to $AUTHTARGET using the authentication forwarding
 key.
 The use of a separate forwarding key can also be used in combination with a
 modified SSH to log which key was used where, and thus track key propagation.
-
-.It Pa $HOME/.safesh/$HOST/$AUTHTARGET.pub
+.Pp
+.It Pa $HOME/.safesh/$USER@$HOST-$PORT/$AUTHTARGET.pub
 Public key corresponding to the private key described above.
-
-.It Pa $HOME/.safesh/$HOST/extra_keys
+.Pp
+.It Pa $HOME/.safesh/$USER@$HOST-$PORT/extra_keys
 List of extra keys to make available for this host.
 Each line in the file is first attempted matched against the host/user/port
 database in $HOME/.safesh/.
@@ -263,8 +275,8 @@ If it does not find either of these,
 will exit with an error message.
 If it finds one, it will add it using
 .Xr ssh-add 1 .
-
-.It Pa $HOME/.safesh/$HOST/activeagent-$YOURHOST.sh
+.Pp
+.It Pa $HOME/.safesh/$USER@$HOST-$PORT/activeagent-$YOURHOST.sh
 Bourne shell (see
 .Xr sh 1 ,
 .Xr bash 1 ,
@@ -276,8 +288,8 @@ has been run against that host as this user since the machine
 .Nm
 runs on was last booted.
 Note that this file most be source'd, not just run as a shell script.
-
-.It Pa $HOME/.safesh/$HOST/activeagent-$YOURHOST.csh
+.Pp
+.It Pa $HOME/.safesh/$USER@$HOST-$PORT/activeagent-$YOURHOST.csh
 CSH (see
 .Xr csh 1 ,
 .Xr tcsh 1 )
@@ -289,7 +301,7 @@ has been run against that host as this user since the machine
 runs on was last booted.
 Note that this file most be source'd, not just run as a shell script.
 .El
-
+.Pp
 .Sh AUTHORS
 .Nm
 was written by
@@ -299,10 +311,11 @@ was written by
 .Xr ssh-add 1 ,
 .Xr ssh-agent 1 ,
 .Xr ssh-keygen 1 .
-
+.Pp
 .Sh KNOWN ISSUES
-.Nm does not handle whitespace in filenames specified in extra_keys correctly.
-
+.Nm
+does not handle whitespace in filenames specified in extra_keys correctly.
+.Pp
 The ssh-agents that are started by will hang around until next reboot unless
 you put 'killall ssh-agent' in .logout or similar.
 This allows any login to your account to use your authentication towards
@@ -312,7 +325,7 @@ You must always assume that root can grab your authentication at the moment
 you run do it, so this is only an issue in that the authentication stays
 available longer.
 This is not resolvable without rewriting ssh-agent.
-
+.Pp
 .Sh MISSING FEATURES
 .Bl -tag -width "mmmm" -compact
 .It Pa Two-step secure SSH with an untrusted host in the middle
@@ -325,7 +338,7 @@ doing direct authentication to the server on the other side.
 With the present version of OpenSSH, this has the problem of leaving the
 actual port forwarding open while the tunnel is open - allowing other users to
 set up their own tunnels, and weakening another side of the security model.
-
+.Pp
 .It Pa Read out fingerprints
 .Nm
 should make it trivial to retrieve the fingerprint for
@@ -340,26 +353,26 @@ Other hosts, as registered in the known_host file on the host it is running
 on.
 This must presently be done by manual inspection.
 .El
-
+.Pp
 .It Pa Merge known_hosts
 .Nm
 should make it trivial to merge known_hosts and known_hosts2 with ones from
 another host, including retrieving and uploading known_hosts as appropriate.
-
+.Pp
 .It Pa Manage .ssh/authorized_keys2
 .Nm
-should be able to automatically add/remove keys from the authorized_keys2 file
-on other machines, to make the entire
+should be able to automatically remove keys from the authorized_keys2 file
+on other machines, to make everything about the
 .Nm
 process self-contained.
-
+.Pp
 .It Pa Manage setup of key limitations
 When managing authorized_keys2, it is also reasonable to manage key limitation
 in this.
 IP restrictions ("from=") should be handled to make it easy to create setups
 where the local machine do not have direct access to a target.
 Command restrictions etc would be good to have just for completeness.
-
+.Pp
 .It Pa Emulate the entire ssh syntax
 Presently, the
 .Nm
@@ -368,18 +381,69 @@ This is because it is a fairly quick hack, just made to be usable.
 Later, it would be nice to rewrite it to be fully compatible with
 .Xr ssh 1 .
 This would allow use as a drop-in replacement.
-
-.It Pa Description of the trust/threath/security model
-It would be nice to have a complete description of the normal SSH threath model
+.Pp
+.It Pa Description of the trust/threat/security model
+It would be nice to have a complete description of the normal SSH threat model
 as well as the
 .Nm
-threath model, in order to make people fully conscious of their own model.
-
+threat model, in order to make people fully conscious of their own model.
+.Pp
 .It Pa Emulate scp
 .Xr scp 1
-is a very useful command.
-Unfortunately, it is almost unusable along with safesh, unless you use the
-activeagent files (preferably along with running all of this in a subshell, so
-you do not get extra authentication keys when you are not planning to.)
-
+is very useful, and the only way to use it with
+.Nm
+at the moment is through a subshell created by
+.Nm scpsh .
+An ideal
+.Nm
+implementation would include wrapping of
+.Xr scp 1 ,
+too.
+.Pp
+.El
+.Sh VARIABLE REPLACEMENT IN DESCRIPTIONS
+.Bl -tag -width "$HOME/.safesh" -compact
+.It Pa $HOME
+is replaced with the path your home directory,
+.It Pa $HOST
+is replaced with the name of the host you are running
+.Nm
+towards.
+This is the machine you are
+.Xr ssh 1 ing
+into.
+.It Pa $YOURHOST
+is replaced with the name of the host you are running
+.Nm
+on, as output by
+.Xr hostname 1 .
+This is the name of the machine you are
+.Xr ssh 1 ing
+from.
+The use of $YOURHOST makes
+.Nm
+safe to use with NFS-mounted home directories.
+.It Pa $AUTHTARGET
+is replaced with the authentication target for an authentication forwarding.
+This is
+.Pa not
+the same as $HOST.
+$AUTHTARGET is a machine you are
+.Xr ssh 1 ing
+to
+.Pa from
+$HOST.
+The format of $AUTHTARGET is <user>@<somehost>-<someport>, where <user>
+defaults to the username you run
+.Nm
+as, and <someport> default to 22 (and it is not possible to set anything
+else at this time.)
+.It Pa $USER
+is replaced with The username used on $HOST; defaults to the same as the
+username you have on $YOURHOST, but will be different if you do safesh
+user@host instead of just safesh host.
+.It Pa $PORT
+The port used on $HOST.
+Presently always 22.
 .El
+.Pp
diff --git a/security/safesh/src/safesh.sh b/security/safesh/src/safesh.sh
index 1774e594e0a8..194ed20a4ddd 100644
--- a/security/safesh/src/safesh.sh
+++ b/security/safesh/src/safesh.sh
@@ -38,6 +38,13 @@ shift 2> /dev/null;
 
 HOSTDIR=$AKEYS/$USER@${HOST}-22
 if [ ! -d $HOSTDIR ]; then
+	while ! [ "$answer" = "yes" -o "$answer" = "no" ]; do
+		echo -n "New host $HOST - create key (yes/no)? " 1>&2
+		read answer
+	done
+	if [ "$answer" = "no" ]; then
+		exit 1
+	fi
 	mkdir -p $HOSTDIR || myx "$0: Unable to create $HOSTDIR"
 fi
 
@@ -106,7 +113,12 @@ if [ "${KEYLIST}" != "" ]; then
 	fi
 fi
 
-if [ "$1" = "" ]; then
+BASENAME=`basename $0`
+if [ "$BASENAME" = "scpsh" ]; then
+	exec $SHELL -i
+elif [ "$BASENAME" = "safeshinstall" ]; then
+	cat $HOSTDIR/id_dsa.pub | ssh $USER@$HOST 'mkdir -p .ssh && cat >> .ssh/authorized_keys2'
+elif [ "$1" = "" ]; then
 	exec ssh -A $USER@$HOST
 else
 	exec ssh "$@"