Server Administration

  Home arrow Server Administration arrow Page 2 - SSH Case Studies
SERVER ADMINISTRATION

SSH Case Studies
By: O'Reilly Media
  • Search For More Articles!
  • Disclaimer
  • Author Terms
  • Rating:  stars stars stars stars stars / 0
    2012-05-09

    Table of Contents:
  • SSH Case Studies
  • 11.1.2 Public-Key Authentication

  •  
     

    SEARCH CODEWALKERS

    SSH Case Studies - 11.1.2 Public-Key Authentication


    (Page 2 of 2 )

    In public-key authentication, a private key is the clientís credentials. Therefore, the batch job needs access to the key, which must be stored where the job can access it. You have three choices of location for the key, which we discuss separately:

    1. Store the encrypted key and its passphrase in the filesystem.
    2. Store a plaintext (unencrypted) private key in the filesystem, so it doesnít require a passphrase.
    3. Store the key in an agent, which keeps secrets out of the filesystem but requires a human to decrypt the key at system boot time.

    11.1.2.1 Storing the passphrase in the filesystem

    In this technique, you store an encrypted key and its passphrase in the filesystem so that a script can access them. We donít recommend this method, since you can store an unencrypted key in the filesystem with the same level of security (and considerably less complication). In either case, you rely solely on the filesystemís protections to keep the key secure. This observation is the rationale for the next technique.

    11.1.2.2 Using a plaintext key

    A plaintext or unencrypted key requires no passphrase. To create one, run ssh-key-gen and simply press the Return key when prompted for a passphrase (or similarly, remove the passphrase from an existing key using ssh-keygen Ėp). You can then supply the key filename on the ssh command line using the Ėi option, or in the client configuration file with the IdentityFile keyword. [7.4.2]

    Usually plaintext keys are undesirable, equivalent to leaving your password in a file in your account. They are never a good idea for interactive logins, since the SSH agent provides the same benefits in a much more secure fashion. But a plaintext key is a viable option for automation, since the unattended aspect forces us to rely on some kind of persistent state in the machine. The filesystem is one possibility.

    Plaintext keys are frightening, though. To steal the key, an attacker needs to override filesystem protections only once, and this doesnít necessarily require any fancy hacking: stealing a single backup tape will do. You can arrange to keep them off backups, but thatís an additional complication. If you need your batch jobs to continue working after an unattended system restart, plaintext keys are pretty much your best option. If the situation allows for some leeway in this regard, however, consider using ssh-agent instead.

    Please check back next week for the continuation of this article series.


    DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.
    blog comments powered by Disqus

    SERVER ADMINISTRATION ARTICLES

    - SSH Case Studies: Gateway Hosts
    - SSH Case Studies: More on Pine and SSH
    - SSH Case Studies: Pine and IMAP
    - SSH Case Studies: More on the Passive Mode
    - SSH Case Studies: Network Address Translation
    - SSH Case Studies: The Passive Mode
    - SSH Case Studies: The FTP Protocol
    - SSH Case Studies: Batch Jobs, FTP and SSH
    - SSH Case Studies: Agents and Authentication
    - SSH Case Studies
    - Server Responses to Client Communication
    - Authentication in Client/Server Communication
    - Client/Server Communication
    - Understanding Awk in the UNIX Shell
    - Stream Editor in the UNIX Shell

    Developer Shed Affiliates

     



    © 2003-2019 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap