SSH Case Studies - 11.1.2 Public-Key Authentication
(Page 2 of 2 )
In public-key authentication, a private key is the clientís credentials. Therefore, the batch job needs access to the key, which must be stored where the job can access it. You have three choices of location for the key, which we discuss separately:
Store the encrypted key and its passphrase in the filesystem.
Store a plaintext (unencrypted) private key in the filesystem, so it doesnít require a passphrase.
Store the key in an agent, which keeps secrets out of the filesystem but requires a human to decrypt the key at system boot time.
18.104.22.168 Storing the passphrase in the ﬁlesystem
In this technique, you store an encrypted key and its passphrase in the filesystem so that a script can access them. We donít recommend this method, since you can store an unencrypted key in the filesystem with the same level of security (and considerably less complication). In either case, you rely solely on the filesystemís protections to keep the key secure. This observation is the rationale for the next technique.
22.214.171.124 Using a plaintext key
A plaintext or unencrypted key requires no passphrase. To create one, run ssh-key-gen and simply press the Return key when prompted for a passphrase (or similarly, remove the passphrase from an existing key using ssh-keygen Ėp). You can then supply the key filename on the ssh command line using the Ėi option, or in the client configuration file with the IdentityFile keyword. [7.4.2]
Usually plaintext keys are undesirable, equivalent to leaving your password in a file in your account. They are never a good idea for interactive logins, since the SSH agent provides the same benefits in a much more secure fashion. But a plaintext key is a viable option for automation, since the unattended aspect forces us to rely on some kind of persistent state in the machine. The filesystem is one possibility.
Plaintext keys are frightening, though. To steal the key, an attacker needs to override filesystem protections only once, and this doesnít necessarily require any fancy hacking: stealing a single backup tape will do. You can arrange to keep them off backups, but thatís an additional complication. If you need your batch jobs to continue working after an unattended system restart, plaintext keys are pretty much your best option. If the situation allows for some leeway in this regard, however, consider using ssh-agent instead.
Please check back next week for the continuation of this article series.
DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.