Security Basics mailing list archives
Re: SSH Passphrase
From: "David M. Fetter" <david.fetter () fetterconsulting com>
Date: Wed, 05 Mar 2003 17:43:50 -0800
The private/public key encryption works like this. You generate a set of keys one private and one public. The public one then can be placed into the .ssh/authorized_keys file on remote servers. The authentication is based on the public key matching up with your private key, which only you should have. The private key should not exist any where else or ever be shared. Then if the authentication passes, the session connection is allowed and all of the traffic is encryption.
The default ssh configuration may not necessarily be 100% secure if you're using keys with no passphrase. However, it is possible to make the configuration more secure in a variety of ways. This includes things like using tcp wrappers to restrict which specific hosts or networks are allowed to connect, specifying strict host key checking, specifying users who are allowed to connect, potentially disabling password authentication, etc. So, if security is of concern by those you are connecting to then they can take these extra precautions.
The way you describe using ssh key authentication is quite common though. The only negative aspect is that if somebody should get access to your account and know what server(s) the you connect to using the keys then they have free roam because there is no passphrase. If you are really concerned with this there are other ways you can script the non-interaction using the ssh key authentication. There is a way outlined in O-reilley's blue Secure Shell book how you can use ssh-agent in a non-interactive way. You could use expect as another option. If your script is in perl then you can use the expect.pm and I believe there is another module that will allow you to even encrypt the passphrase/password on the local system so that it's not shown in plain text should someone simply read the script itself. So, there are a variety of ways to do this in a more secure manner should you choose to go that route.
Stefan Lesicnik wrote:
Hi,Im fairly new to private and public key encryption, so dont quite understand all the concepts. I have the need to scp a file to a remote server without specifying the password as it is done from a non-interactive script. I have accomplished this by generating a dsa key without a passphrase. Although this works I am worried about the security concerns of doing this? (Without a passphrase, how does it authenticate? Based on the machines dsa key which was made from machine specific entropy?) I know of programs such as ssh-agent, but these require you to enter a passphrase at the beginning of the session which it then remembers, this isnt possible as it is non-interactive in my case. Does anyone have any ideas or comments? TIA Stefan Lesicnik
-- David M. Fetter - http://www.fetterconsulting.com/"The world is full of power and energy and a person can go far by just skimming off a tiny bit of it." Neal Stephenson - Snow Crash
Current thread:
- Re: Outlook web access rogue (Mar 03)
- <Possible follow-ups>
- Re: Outlook web access i.t (Mar 03)
- SSH Passphrase Stefan Lesicnik (Mar 05)
- RE: SSH Passphrase Michael Cunningham (Mar 06)
- RE: SSH Passphrase Michael Sconzo (Mar 06)
- Re: SSH Passphrase Devdas Bhagat (Mar 06)
- Re: SSH Passphrase David M. Fetter (Mar 06)
- Re: SSH Passphrase Janus N. (Mar 07)
- Re: SSH Passphrase Johan De Meersman (Mar 08)
- SSH Passphrase Stefan Lesicnik (Mar 05)
- Re: Outlook web access Devdas Bhagat (Mar 03)
- Re: Outlook web access Nuzman (Mar 04)
- Re: Outlook web access Chris Travers (Mar 03)
- RE: Outlook web access CHRIS GRABENSTEIN (Mar 03)
- RE: Outlook web access Jennifer Fountain (Mar 03)
- Re: Outlook web access David Glosser (Mar 05)
- Re: Outlook web access Mark Ng (Mar 06)
- Re: Outlook web access David Glosser (Mar 05)
- Outlook web access Sys Sec (Mar 03)