Passing password in ssh

Mikkel L. Ellertson mikkel at infinity-ltd.com
Wed Jan 23 23:39:55 UTC 2008 

Aldo Foot wrote:
> 
> 
> 2008/1/22 Mikkel L. Ellertson <mikkel at infinity-ltd.com 
> 
> You are correct. My worst nightmare does not include stealing the private
> key. But simply cracking into a user's account who has access to several
> systems containing the keys.
> 
> Worst scenario is when someone brakes into a system gains root access
> and does "su - user" to such account and by looking into the .shosts tries
> his luck to other systems.
>  
Yes, that is a problem. You can only hope that such a user would 
have good pass phrase(s) on their key(s). Though I would expect the 
attacked to have more luck using the information in known_hosts to 
pick targets. If you only use "unlocked" keys for cron jobs, and 
then limit access on the remote system, you can keep the risk 
manageable. I can picture a cron job that does a backup to a remote 
machine, or a backup client that uses an ssh link to communicate to 
a backup server on a remote machine using "unlocked" keys.
> 
> 
>     But even having a pass phrase does not help if someone uses dumb
>     passwords. Things like first name as user name, and last name as
>     password. Then they use their full name as the pass phrase on the
>     key. Or is machine B lets you ssh in using username/password, and
>     you have a user like this. The key is to use the tools responsibly.
> 
> 
> Bingo!  There lies my problem.
> 
> Perhaps a good practice is to configure accounts such as those for
> cron jobs to use only specific commands.
> Does anyone reading this thread uses such setup?
> I'll play with this a bit.
> 
You may want to look into the -r option of bash, or rbash. (Bash 
invoked as rbash is supposed to be the same as running bash -r.) 
This, or another or the restricted shells would work well as the 
shell for user on the remote machine. You can also look into sudo to 
give limited access to commands that need to be run as root, if what 
you are doing is going to require it. (man bash and search for rbash)

I have not used it, but rssh also sounds like it might be useful, 
depending on what you need to do. It is designed to be used as the 
users shell on the remote machine when you want to limit what they 
can do over a ssh connection.

http://www.pizzashack.org/rssh/

Another option, if you only need to run a specific command, would be 
to configure the key in authorized_keys so it runs a specific 
command. (man sshd and search for AUTHORIZED_KEYS FILE FORMAT)

Mikkel
-- 

   Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20080123/2923abe4/attachment-0001.sig>

More information about the fedora-list mailing list