Path: csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!goblin3!goblin.stu.neva.ru!odin.sdf-eu.org!.POSTED!not-for-mail From: dagon@dagon.net (Dagon) Newsgroups: comp.security.ssh Subject: Re: setting up keys Date: Tue, 3 May 2011 09:30:35 -0700 Organization: Dagon.net Lines: 30 Message-ID: References: <42625249-e4c1-453b-8232-fa80334a985c@j31g2000yqe.googlegroups.com> <4dbfd186$0$6880$9b4e6d93@newsspool2.arcor-online.net> <5c4a4836-c5d6-4a36-b57b-85eaf23db1f6@f2g2000yqf.googlegroups.com> NNTP-Posting-Host: sverige.freeshell.org X-Trace: odin.sdf-eu.org 1304452521 21658 192.94.73.4 (3 May 2011 19:55:21 GMT) X-Complaints-To: usenet@odin.sdf-eu.org NNTP-Posting-Date: Tue, 3 May 2011 19:55:21 +0000 (UTC) mail-copies-to: never x-fastest-land-animal: cheetah disclaimer: bears author this post for full responsibility X-Newsreader: trn 4.0-test77 (Sep 1, 2010) Originator: dagon@dagon.net (Dagon) Xref: x330-a1.tempe.blueboxinc.net comp.security.ssh:74 Dave wrote: >One time passwords can't be used either because the job I'm trying to >accomplish is scripted (hence the need for password-less access into >the remote computer using public key authentication). Thanks for the >response though. :) Any other thoughts on the single-use keys? Just MHO - the single-use key seems to work, and I don't know of any exploits that make it useless, as long as the command that it run does not allow any possibility of shell escape or updating important files (like the authorized_keys file, or any program or script that the user could run when he next legitimately logs in). HOWEVER, this is enforced by the ssh daemon only, and it's going to be tricker to be certain you haven't left any holes in the command than if you used the full OS security model. Having a separate login that does the task lets you set permissions such that the user CANNOT modify any files, even if he does get a shell. You also get better logging, as you can distinguish between users, but can't distinguish between key used. Usually, this isn't that much more management overhead than the forced-command key, so it's worth it. You'll need to think about the threat model to choose what level of security you're comfortable with. Who'll have access to this key, what harm can be done with elevated access, are you worried about attack vs just error prevention and convenience, etc. Of course, having a single-use (virtual) machine is more secure still. Having a single-use network, or a single-use instance of our universe is probably overkill, and can be difficult to manage. -- Mark Rafn dagon@dagon.net