Security Basics mailing list archives
Re: SSH Passphrase
From: Doug Kelly <dougk-bugtraq () dougk-ff7 net>
Date: 6 Mar 2003 04:58:34 -0000
In-Reply-To: <1046898407.2124.24.camel () odie lsd za com>
Subject: SSH Passphrase From: Stefan Lesicnik <lists () lsd za com>
I have the need to scp a file to a remote server without specifying the password as it is done from a non-interactive script.
I have accomplished this by generating a dsa key without a passphrase. Although this works I am worried about the security concerns of doing this? (Without a passphrase, how does it authenticate? Based on the machines dsa key which was made from machine specific entropy?)
I know of programs such as ssh-agent, but these require you to enter a passphrase at the beginning of the session which it then remembers, this isnt possible as it is non-interactive in my case. Does anyone have any ideas or comments? TIA Stefan Lesicnik
This is probably the worst explanation you'll ever hear about public/private key exchange. Basically, it's not good practice to keep a private key without a passphrase. Why? Because anyone with that key can now sign into your server -- no questions asked. It's like a credit card or bank card -- you want the PIN on it. I can't really explain public/private key exchange that well, it's slightly involved, but I can tell you it makes use of very large floating point computations and modular arithmetic. I know "The Code Book" by Simon Singh (I think that's right) has some more information on this. The way I would conquer your problem would be by creating a new account (one that has very few permissions). You should be able to use the public key with that, although I'd still protect your private key (again, keys to car, bank account, etc.). Then, even if your private key is compromised, the intruder would have very limited access -- only to that one directory you gave the user access to write. Assuming you're making backups, even if something critical was deleted, it could be restored. That's my best recommendation. But please, protect the private key!!! --Doug Kelly dougk-bugtraq () dougk-ff7 net
Current thread:
- Re: SSH Passphrase Doug Kelly (Mar 06)