Re: Passing password in ssh



Aldo Foot wrote:


2008/1/22 Mikkel L. Ellertson <mikkel@xxxxxxxxxxxxxxxx

You are correct. My worst nightmare does not include stealing the private
key. But simply cracking into a user's account who has access to several
systems containing the keys.

Worst scenario is when someone brakes into a system gains root access
and does "su - user" to such account and by looking into the .shosts tries
his luck to other systems.
Yes, that is a problem. You can only hope that such a user would have good pass phrase(s) on their key(s). Though I would expect the attacked to have more luck using the information in known_hosts to pick targets. If you only use "unlocked" keys for cron jobs, and then limit access on the remote system, you can keep the risk manageable. I can picture a cron job that does a backup to a remote machine, or a backup client that uses an ssh link to communicate to a backup server on a remote machine using "unlocked" keys.


But even having a pass phrase does not help if someone uses dumb
passwords. Things like first name as user name, and last name as
password. Then they use their full name as the pass phrase on the
key. Or is machine B lets you ssh in using username/password, and
you have a user like this. The key is to use the tools responsibly.


Bingo! There lies my problem.

Perhaps a good practice is to configure accounts such as those for
cron jobs to use only specific commands.
Does anyone reading this thread uses such setup?
I'll play with this a bit.

You may want to look into the -r option of bash, or rbash. (Bash invoked as rbash is supposed to be the same as running bash -r.) This, or another or the restricted shells would work well as the shell for user on the remote machine. You can also look into sudo to give limited access to commands that need to be run as root, if what you are doing is going to require it. (man bash and search for rbash)

I have not used it, but rssh also sounds like it might be useful, depending on what you need to do. It is designed to be used as the users shell on the remote machine when you want to limit what they can do over a ssh connection.

http://www.pizzashack.org/rssh/

Another option, if you only need to run a specific command, would be to configure the key in authorized_keys so it runs a specific command. (man sshd and search for AUTHORIZED_KEYS FILE FORMAT)

Mikkel
--

Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

Attachment: signature.asc
Description: OpenPGP digital signature

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: PYTHONPATH
    ... The error indicates the shell tried to execute a program named '1' and couldn't find one. ... Arthimetic expressions generally have to be wrapped in ) in bash: ... non-interactive shell with the --login option, it first reads and executes ... commands from the file /etc/profile, ...
    (comp.lang.python)
  • Re: Command Line Interface
    ... > commands only for an administrator. ... Also how should I supress the bash shell and ... I would seriously consider a restricted shell ...
    (comp.os.linux.misc)
  • Re: Who makes training wheels for a 12" bike?
    ... Fire up Terminal.app and you are in bash with all rights and privileges. ... Bash is an sh-compatible command language interpreter that executes commands read ... Bash is intended to be a conformant implementation of the Shell and Utilities por- ... -c string If the -c option is present, then commands are read from string. ...
    (rec.bicycles.tech)
  • Re: New to Debian Linux - I have NASM experience under DOS 6.22
    ... > Maybe nasm is in the path, ... access to all the commands and NASM and so forth...hence, really, use ... up one big "man" page about _all_ the built-in commands the BASH shell ...
    (alt.lang.asm)
  • Re: telnet session problem
    ... and the a.m. export command is bash. ... What is you current shell? ... Gruss / Cheers ... the DISPLAY variable on the remote machine was changed to the local ...
    (comp.unix.solaris)