• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

ssh public keys and security

Red Squirrel

Red Squirrel

No Lifer
I recently switched to Linux as my desktop OS and I was thinking it would be a cool idea to setup public keys with all my servers so I can SSH to them without typing a password. but then I got thinking, if my machine was to by chance get hit with a virus or something, would this virus then be able to also access those servers without a password?

If yes, is there a certain way of setting this up so it's secure? I'm thinking of just creating another user and setup the public keys with that user instead of my main user so I just need to su as that user if I plan to login to my servers or run scripts that need to scp/rsync stuff etc, that way if I was to get a virus or something it would be running as my main user and not this special user so the keys would not apply. Is this a good way of doing it? Or is there a better way?

I could setup a passphrase, but it kinda defeats the purpose as I'd still have to enter a password everytime, so may as well just login normally.
 
Last edited:
I use [1]keychain for this. You still would need to enter your passphrase, but only once. The passphrase can be cleared and added again at any time.

I use the following for root and user in their ~/.zlogin:
Code: 
# Share a single ssh-agent preocess between logins, shells, cron jobs, etc ...
# using keychain.
eval `keychain --eval --nogui -Q -q /root/.ssh/id_rsa`


# Share a single ssh-agent preocess between logins, shells, cron jobs, etc ...
# using keychain.
eval `keychain --eval --nogui -Q -q id_rsa`

They are basically the same, except for the one small change. To make sure there is no mistake which one root will use. The above uses zsh as the shell, but you can do similar with bash[don't recall ATM].

If at the time of logging in you do not want to input the passphrase. Can do it later with:
Code: 
$ source ~/.zlogin

I use keychain with root's ~/.ssh/authorized_keys to only allow rsync command to be used for backups using rsnapshot. In ~/.ssh/authorized_keys:
Code: 
from="xxx.xxx.xxx.xxx",command="/root/bin/validate-rsync.sh" ssh-rsa Ajjhj...gtyn root@foo

In /etc/ssh/sshd_config:
Code: 
PermitRootLogin forced-commands-only

This [2] explains how to set the above up. Using 'forced-commands-only' with keychain makes backing up more secure, since the only command allowed in this case is rsync. The only way to get root access, would be to su to root. Also if interested in rsnapshot with ssh[3]. Hope this helps.

[1] http://www.funtoo.org/wiki/Keychain
[2] http://troy.jdmz.net/rsync/index.html
[3] http://troy.jdmz.net/rsnapshot/
 
Last edited:
Just remembered, if want to lock down things further. Make a group and add your user to that group:

Code: 
# addgroup foo

# adduser <username> foo

And use the following option in your sshd_config:

Code: 
AllowGroups foo
 
Thanks for the info, that's good to know. So by using AllowGroups ONLY the users in that group can ssh in? I like the sound of that.
 
maybe not relevant as windows but I use WinSCP and pageant with passphrase. The thing is I only need to enter the passphrase once for all connections you have in WinSCP.

On the other hand if you have a virus/trojan/malware it can install a keylogger an then none of above helps.
 
beginner99 said:
maybe not relevant as windows but I use WinSCP and pageant with passphrase. The thing is I only need to enter the passphrase once for all connections you have in WinSCP.

On the other hand if you have a virus/trojan/malware it can install a keylogger an then none of above helps.
Click to expand...

Anything is possible. But you still would need the public key even if the above where to happen.
 
beginner99 said:
maybe not relevant as windows but I use WinSCP and pageant with passphrase. The thing is I only need to enter the passphrase once for all connections you have in WinSCP.
Click to expand...
pageant is Putty's version of ssh-agent. Keychain is front-end to ssh-agent.

When you use ssh-client to connect somewhere, it first checks whether there is ssh-agent around that holds a key. If yes, it uses that key. If not, it checks whether you have private keys. If yes, it asks passphrase for the key(s).

Graphical login -- at least on some Linux desktops -- starts ssh-agent, which is seen by ssh in that session. ssh-add adds private key(s) to the agent and that requires passphrase.

Keychain apparently runs independent of session and already authenticated key to ssh-agent of the session. (Not sure, just guessing.) However, it is possible to run a detached ssh-agent independent of session (and without keychain). Then one has to tell the ssh via environment variables the port that ssh-agent does listen.

It is not recommended to use a ssh keypair that has no passphrase. Primary reason for public key authentication is not lack of password, but change on what is passed over the net during authentication phase. It is the ssh-agent that decreases the times you have to type the pass(word/phrase).
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top