OT: SSH With Public/Private Key Authenification

Bill Campbell bill at celestial.com
Wed Oct 20 14:47:14 PDT 2010


On Wed, Oct 20, 2010, Fairlight wrote:
>Yo, homey, in case you don' be listenin', Jay Ashworth done said:
>> ----- Original Message -----
>> > From: "Scott Walker" <ScottWalker at RAMSystemsCorp.com>
>> 
>> > Would like to ask the lists opinion. Is using SSH with a
>> > public/private key authentification scheme a pretty good way to have a 
>> > secure connection from my windows vista pc to a Linux serve.
>> 
>> Well, the answer to that depends a lot on what aspects of your connection
>> you're trying to secure, but, overall, using an SSH capable terminal emulator
>> with a private key file secured by a reasonably long passphrase, and the SSHv2
>> protocol, with no known unfixed bugs on either program, is a reasonably good
>> way both to control access to the server, and to prevent eavesdropping on your
>> sessions, yes.
>> 
>> Hardware or software keystroke loggers on the Vista client, of course, will
>> expose your passphrase to an attacker...
>
>What Jay said.  Except I use passphraseless keys and the authorized_keys
>file on the target system side, both for ease of use, and automation.  The
>passphrase is never exposed to keylogging because the passphrase is never
>typed.
>
>If you can guarantee the security of your private key, and remote desktop
>acces either doesn't exist or is strictly regulated, this works fine.
>
>I think Bill Campbell had a different method of doing it (pageant or
>ssh-agent or something) that had passphrases being typed once, and then not
>again for the duration.  That doesn't play well with automation, as I
>recall.

I use ssh-agent on my Macbook Pro, Linux systems, etc. to make the
connections with properly long pass phrases.  When I'm out of my office, I
first establish an OpenVPN connection back to our primary server then go
from there to any machines I need to support.  Using OpenVPN eliminates the
necessity to worry about unblocking arbitrary IP addresses for SSH access,
and all connections to our client's machine come from our main server so I
don't have to worry about allowing access from unknown remote IPs.

We rarely have to use ssh for automated updates, preferring to
use rsync server modules to do file transfers and updates secured
by IP addresses to specific directories (with OpenVPN tunnelling
where data security is an issue).  There are a limited number of
functions we need to execute remotely, and these we handle with
XML-RPC calls via https where the public server handles
authentication and restricts access by IP address.  The publicly
visible XML-RPC server can then make XML-RPC connections to a
private server running on localhost with root priviledges to do
specific tasks (e.g. run ``make'' in /etc/postfix or our djbdns
DNS directory which then perform all tasks necessary to update
the mail and DNS files and secondary systems).

The python xmlrpclib is very easy to use, making remote procedure
calls as easily as any standard function call.  Making the
XML-RPC calls via https leaves it to apache to handle the secure
connections to the outside world while our server side of this
handles authentication pretty easily.

Bill
-- 
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186  Skype: jwccsllc (206) 855-5792

Good luck to all you optimists out there who think Microsoft can deliver
35 million lines of quality code on which you can operate your business.
   -- John C. Dvorak


More information about the Filepro-list mailing list