SSH Case Studies - 11.1.2 Public-Key Authentication
(Page 2 of 2 )
In public-key authentication, a private key is the client’s credentials. Therefore, the batch job needs access to the key, which must be stored where the job can access it. You have three choices of location for the key, which we discuss separately:
Store the encrypted key and its passphrase in the filesystem.
Store a plaintext (unencrypted) private key in the filesystem, so it doesn’t require a passphrase.
Store the key in an agent, which keeps secrets out of the filesystem but requires a human to decrypt the key at system boot time.
11.1.2.1 Storing the passphrase in the filesystem
In this technique, you store an encrypted key and its passphrase in the filesystem so that a script can access them. We don’t recommend this method, since you can store an unencrypted key in the filesystem with the same level of security (and considerably less complication). In either case, you rely solely on the filesystem’s protections to keep the key secure. This observation is the rationale for the next technique.
11.1.2.2 Using a plaintext key
A plaintext or unencrypted key requires no passphrase. To create one, run ssh-key-gen and simply press the Return key when prompted for a passphrase (or similarly, remove the passphrase from an existing key using ssh-keygen –p). You can then supply the key filename on the ssh command line using the –i option, or in the client configuration file with the IdentityFile keyword. [7.4.2]
Usually plaintext keys are undesirable, equivalent to leaving your password in a file in your account. They are never a good idea for interactive logins, since the SSH agent provides the same benefits in a much more secure fashion. But a plaintext key is a viable option for automation, since the unattended aspect forces us to rely on some kind of persistent state in the machine. The filesystem is one possibility.
Plaintext keys are frightening, though. To steal the key, an attacker needs to override filesystem protections only once, and this doesn’t necessarily require any fancy hacking: stealing a single backup tape will do. You can arrange to keep them off backups, but that’s an additional complication. If you need your batch jobs to continue working after an unattended system restart, plaintext keys are pretty much your best option. If the situation allows for some leeway in this regard, however, consider using ssh-agent instead.
Please check back next week for the continuation of this article series.
DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.
