LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-31-2012, 09:09 PM   #1
KenJackson
Member
 
Registered: Jul 2006
Location: Maryland, USA
Distribution: Fedora, Arch
Posts: 572

Rep: Reputation: 64
Can I use SSH to encrypt/decrypt a file like gpg?


The manpage for msmtp lists this example configuration line. It sets the password for SMTP authentication to whatever the command following passwordeval writes to stdout.
Code:
passwordeval gpg -d ~/.msmtp.password.gpg
I don't currently use gpg, but if I understand and I want the easiest operation, I will have to create a gpg key and have keychain prompt me for the passphrase everytime I reboot. Keychain already prompts me for my SSH passphrase, but I'd like to avoid being prompted for more than one.

So the question is, is there any way I can make SSH or an OpenSSH-cooperative program spit out a password for this application?
 
Old 11-01-2012, 07:54 AM   #2
Turbocapitalist
Member
 
Registered: Apr 2005
Distribution: Ubuntu, Debian, OS X (bsd)
Posts: 144

Rep: Reputation: 27
gpg -c

ssh will not do encrypt files, just the connection between machines. However, you do not need a key to use gpg to encrypt. "gpg -c somefile" will encrypt somefile using a passphrase "gpg somefile.gpg" will decrypt the file using a passphrase. It's very simple.
 
Old 11-01-2012, 08:54 AM   #3
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
I think you are getting a couple of different technologies confused. SSH, or Secure SHell is a means to gain remote access to the computer using a cryptographically secured method. It uses both asynchronous and synchronous ciphers, the former for secure authentication. SMTP Authentication is a means to authenticate to a mail server. There are several different means to provide SMTP authentication, including plain text and password hashing. Probably the most common is to use plain authentication over SSL or TLS, in which case the SMTP does not use any cryptography but it is provided via the SSL and TLS, which also uses asynchronous and synchronous ciphers in different parts of the exchange. The same type of techniques are also used for viewing HTTPS websites. GPG/PGP uses asynchronous encryption to encrypt and decrypt files and text.

What most of these have in common is the use of cipher keys. Specifically, the use of a "public" and "private" key which are part of the asynchronous encryption. The public key, which is mathematically related to the private key, can be used to encrypt a message while the private key can be used to decrypt it. The concept of keychain gets into "signing" or an authentication of the keys itself. It is important to know that the keys haven't been tampered with to prevent a "man in the middle" situation as well as to gain assurance that your talking to the desired party.

The private keys are oftentimes stored in an encrypted format and protected by a password. In order to utilize the keys, the password needs to be entered. If a server process, such as your mail or web server wants to make use of these protected keys, you will need to enter the password on start up. Depending on your risk acceptance and other factors, this may pose operational difficulties, for example with a remote server where you can't easily enter the password on start up. In these cases, you can strip the password from the key.

The SSL tool suite, which is different than SSH, provides all sorts of capabilities for working with these keys, including removing passwords, and key signing. I have provided a link to a site that I think provides a pretty good overview of how the key process works and how to use the tools. It is oriented more towards Apache, but the same keys/certificates can be used for SMTP authentication too.
 
Old 11-01-2012, 10:46 AM   #4
KenJackson
Member
 
Registered: Jul 2006
Location: Maryland, USA
Distribution: Fedora, Arch
Posts: 572

Original Poster
Rep: Reputation: 64
I'm not doing SMTP Authentication, I'm providing my password to the msmtp program.

So far I've hardcoded the password in the configuration file. That's not terrible security, but it would be slightly better if I could keep it encrypted until needed, but not have to type in a password every time I send email.

I use SSH a lot. Encryption and decryption is central to it's function. In fact, someone even adapted that capability to mount a file system securely, sshfs. I'm just wondering if anyone has adapted the capability a little differently to encrypt a file locally. It would be a handy capability.
 
Old 11-01-2012, 12:21 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,001
Blog Entries: 54

Rep: Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756
Maybe see http://dev.gentoo.org/~tomka/mail.html, http://jason.the-graham.com/2011/01/...r_offlineimap/ and http://simple-and-basic.com/2008/10/...e-keyring.html wrt integrating msmtp in gnome-keyring?
 
Old 11-02-2012, 09:18 AM   #6
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,268

Rep: Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086
ssh is a tunneling protocol, as is VPN, and probably the best way to handle communications e.g. with msmtp (and both with regard to logging-in and everything else) is to use this approach to secure the entire tunnel. If you know that the entire connection is secure, you don't have to worry further about the messages that are sent across it.

gpg is a file-encryption system that doesn't do tunneling.

Both of them are capable of doing public-key based encryption, and of ensuring the data-integrity of content.
 
Old 11-07-2012, 08:01 PM   #7
ph0rty
LQ Newbie
 
Registered: Sep 2012
Distribution: OpenSUSE, CentOS, RHEL
Posts: 8

Rep: Reputation: Disabled
Lightbulb OpenSSL maybe?

Hi there

perhaps you were wanting to use openssl?

something like:
openssl enc -e -des3 -in <anyfile> -out <encryptedfile.enc>
you will be prompted for encryption password/phrase, and again to confirm.
to decrypt:
openssl enc -d -des3 -in <encryptedfile.enc> -out <anyfile>

(just remember to delete the normal file once encrypted, if you want the contents to remain 'unknown', else someone may just open that and not bother trying to guess [ good luck to that! ] your password )
 
Old 11-08-2012, 05:12 AM   #8
KenJackson
Member
 
Registered: Jul 2006
Location: Maryland, USA
Distribution: Fedora, Arch
Posts: 572

Original Poster
Rep: Reputation: 64
Quote:
Originally Posted by ph0rty View Post
... you will be prompted for encryption password/phrase, ...
You didn't say, but I expect I would be prompted for that password/phrase every time I send an email. That would be much worse that entering it once at bootup for GPG with keychain.

The only reason I asked about SSH (actually OpenSSH) was to make my one passphrase do double duty for both remote access and decrypting a password file locally. But no one has even hinted that there's any mechanism for the latter.

However, I am interested in openssl for other things. And it seems to have a confusing, non-intuitive command structure. So thank you for the example.
 
Old 11-08-2012, 06:20 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,001
Blog Entries: 54

Rep: Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756
Quote:
Originally Posted by KenJackson View Post
if I understand and I want the easiest operation, I will have to create a gpg key
No you don't understand and I already pointed out the easiest way to integrate it in an existing keyring in reply #5 BTW.
 
Old 11-09-2012, 03:16 AM   #10
ph0rty
LQ Newbie
 
Registered: Sep 2012
Distribution: OpenSUSE, CentOS, RHEL
Posts: 8

Rep: Reputation: Disabled
Arrow OpenSSL maybe? - but not for your requirement

Quote:
Originally Posted by KenJackson View Post
You didn't say, but I expect I would be prompted for that password/phrase every time I send an email. That would be much worse that entering it once at bootup for GPG with keychain.

The only reason I asked about SSH (actually OpenSSH) was to make my one passphrase do double duty for both remote access and decrypting a password file locally. But no one has even hinted that there's any mechanism for the latter.

However, I am interested in openssl for other things. And it seems to have a confusing, non-intuitive command structure. So thank you for the example.
(since I didn't actually provide you anything that would have worked for your actual requirement/question) - You are most welcome [ i just read want to encrypt blahblahblah - so, *coff* sorry
 
  


Reply

Tags
msmtp ssh keychain gpg


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to encrypt / decrypt passwords in a file vicosobase Linux - Newbie 3 08-14-2012 03:07 PM
GPG : Failed to decrypt the file Ashish Sood Linux - General 1 05-07-2012 03:02 PM
decrypt pgp file using gpg and passphrase learn.dw29 Linux - Security 2 10-10-2011 01:50 PM
encrypt and decrypt using encrypt(char block[64], int edflag) rockwell_001 Linux - Security 3 08-30-2009 09:16 AM
Encrypt/Decrypt file in Linux , How to ? shipon_97 Linux - Newbie 1 09-05-2007 03:35 AM


All times are GMT -5. The time now is 12:39 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration