Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.security.ssh > #74

Re: setting up keys

Show key headers only | View raw

Dave  <hendedav@gmail.com> wrote:
>One time passwords can't be used either because the job I'm trying to
>accomplish is scripted (hence the need for password-less access into
>the remote computer using public key authentication).  Thanks for the
>response though. :)  Any other thoughts on the single-use keys?

Just MHO - the single-use key seems to work, and I don't know of any exploits
that make it useless, as long as the command that it run does not allow any
possibility of shell escape or updating important files (like the
authorized_keys file, or any program or script that the user could run when he
next legitimately logs in).

HOWEVER, this is enforced by the ssh daemon only, and it's going to be tricker
to be certain you haven't left any holes in the command than if you used the
full OS security model.  Having a separate login that does the task lets you
set permissions such that the user CANNOT modify any files, even if he does
get a shell.  You also get better logging, as you can distinguish between
users, but can't distinguish between key used.  Usually, this isn't that
much more management overhead than the forced-command key, so it's worth it.

You'll need to think about the threat model to choose what level of security
you're comfortable with.  Who'll have access to this key, what harm can be
done with elevated access, are you worried about attack vs just error
prevention and convenience, etc.

Of course, having a single-use (virtual) machine is more secure still.  Having
a single-use network, or a single-use instance of our universe is probably
overkill, and can be difficult to manage.
--
Mark Rafn    dagon@dagon.net    <http://www.dagon.net/>  

Back to comp.security.ssh | Previous | Next — Previous in thread | Next in thread | Find similar

Thread

setting up keys Dave <hendedav@gmail.com> - 2011-04-27 07:40 -0700
  Re: setting up keys Simon Tatham <anakin@pobox.com> - 2011-04-27 21:05 +0100
    Re: setting up keys Dave <hendedav@gmail.com> - 2011-04-27 13:41 -0700
      Re: setting up keys Simon Tatham <anakin@pobox.com> - 2011-04-27 22:09 +0100
        Re: setting up keys Richard Kettlewell <rjk@greenend.org.uk> - 2011-04-30 09:40 +0100
          Re: setting up keys Dave <hendedav@gmail.com> - 2011-05-02 06:37 -0700
          Re: setting up keys Dave <hendedav@gmail.com> - 2011-05-02 06:37 -0700
        Re: setting up keys Dave <hendedav@gmail.com> - 2011-04-28 06:36 -0700
          Re: setting up keys mikea <mikea@mikea.ath.cx> - 2011-04-28 08:42 -0500
            Re: setting up keys Dave <hendedav@gmail.com> - 2011-04-28 07:32 -0700
              Re: setting up keys Dave <hendedav@gmail.com> - 2011-04-29 06:41 -0700
                Re: setting up keys Dave <hendedav@gmail.com> - 2011-05-02 06:38 -0700
                Re: setting up keys Doug Freyburger <dfreybur@yahoo.com> - 2011-05-02 14:45 +0000
                Re: setting up keys Dave <hendedav@gmail.com> - 2011-05-02 09:24 -0700
                Re: setting up keys Wolfgang Meiners <WolfgangMeiners01@web.de> - 2011-05-03 11:57 +0200
                Re: setting up keys Dave <hendedav@gmail.com> - 2011-05-03 07:22 -0700
                Re: setting up keys dagon@dagon.net (Dagon) - 2011-05-03 09:30 -0700
                Re: setting up keys Dave <hendedav@gmail.com> - 2011-05-05 11:07 -0700
                Re: setting up keys Doug Freyburger <dfreybur@yahoo.com> - 2011-05-03 16:12 +0000
              Re: setting up keys mikea <mikea@mikea.ath.cx> - 2011-04-29 09:02 -0500
              Re: setting up keys Dave <hendedav@gmail.com> - 2011-05-03 13:11 -0700
          Re: setting up keys Richard Kettlewell <rjk@greenend.org.uk> - 2011-04-28 15:10 +0100
  Re: setting up keys dagon@dagon.net (Dagon) - 2011-04-27 13:16 -0700
    Re: setting up keys Dave <hendedav@gmail.com> - 2011-04-28 06:41 -0700

csiph-web