Berkeley CSUA MOTD:Entry 22665
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/05/25 [General] UID:1000 Activity:popular
5/25    

2001/10/8 [Computer/SW/Security] UID:22665 Activity:nil
10/7    I'm starting to dig rsync and ssh.  There's some
        caveats that aren't clear to me yet such as how to
        create a passphraseless key but still be able to limit permissions
        on the key.  Anyone know how to do that?
        \_ keychain might be the best you can get-- it keeps your ssh-agent
           running as long as the machine is not rebooted.  That way, you
           can log in to foo, start ssh-agent running in the background,
           add your identities, and use 'em till foo reboots.
        http://www-106.ibm.com/developerworks/linux/library/l-keyc2
        \_ What do you mean?  Without a passphrase on your key,
           anyone with root on the machine your "identity" is on
           can read your key and use it.  With a passphrase, someone
           with root can STILL get your key, but they have to work harder.
           If your key is on a machine that you're certain won't be
           compromised, with absolutely trustworthy root, then you don't
           need a passphrase. If your key is in an NFS-exported directory,
           you need a passphrase.
           [ reformatted ]
           \_ I think what he's trying to say, is that is there a way
              to set group permissions on a passphraseless key so the key
              can only be read by a certain gid (i.e. group foo).
              I don't think this is possible.
        \_ You don't need a passphraseless key; you can just use .shosts.
           \_ unless you don't administer the box..  grr...
ERROR, url_link recursive (eces.Colorado.EDU/secure/mindterm2) 2025/05/25 [General] UID:1000 Activity:popular
5/25    

You may also be interested in these entries...
2013/10/24-11/21 [Computer/Companies/Apple] UID:54747 Activity:nil
9/19    "No, A Severed Finger Will Not Be Able to Access a Stolen iPhone 5S"
        http://mashable.com/2013/09/15/severed-finger-iphone-5s
        I'm sure the Apple QA department has tested extensively that a severed
        finger will not be able to access a stolen iPhone 5S.
        \_ It doesn't matter whether or not a severed finger can be used.  It
           matters whether or not a robber thinks that a severed finger can be
	...
2013/6/6-7/31 [Politics/Foreign/Asia/China, Computer/SW/Security] UID:54690 Activity:nil
6/6     Wow, NSA rocks. Who would have thought they had access to major
        data exchangers? I have much more respect for government workers,
        crypto experts, mathematicans now than ever.
        \_ flea to Hong Kong --> best dim-sum in the world
           \_ "flee"
        \_ The dumb ones work for DMV, the smart ones for the NSA. If you
	...
2012/8/26-11/7 [Computer/SW/Security] UID:54465 Activity:nil
8/26    Poll: how many of you pub/priv key users: 1) use private keys that
        are not password protected 2) password protect your private keys
        but don't use ssh-agent 3) use ssh-agent:
        1) .
        2) ..
        3) ...
	...
2012/8/29-11/7 [Computer/SW/Security] UID:54467 Activity:nil
8/29    There was once a CSUA web page which runs an SSH client for logging
        on to soda.  Does that page still exist?  Can someone remind me of the
        URL please?  Thx.
        \_ what do you mean? instruction on how to ssh into soda?
           \_ No I think he means the ssh applet, which, iirc, was an applet
              that implemented an ssh v1 client.  I think this page went away
	...
2012/9/20-11/7 [Computer/SW/Unix, Finance/Investment] UID:54482 Activity:nil
9/20    How do I change my shell? chsh says "Cannot change ID to root."
        \_ /usr/bin/chsh does not have the SUID permission set. Without
           being set, it does not successfully change a user's shell.
           Typical newbie sys admin (on soda)
           \_ Actually, it does: -rwsr-xr-x 1 root root 37552 Feb 15  2011 /usr/bin/chsh
	...
2012/9/24-11/7 [Computer/SW/Languages, Computer/SW/Unix] UID:54484 Activity:nil
9/24    How come changing my shell using ldapmodify (chsh doesn't work) doesn't
        work either? ldapsearch and getent show the new shell but I still get
        the old shell on login.
        \_ Scratch that, it magically took my new shell now. WTF?
           \_ probably nscd(8)
	...
2012/8/7-10/17 [Computer/SW/Security] UID:54455 Activity:nil
8/6     Amazon and Apple have lame security policies:
        http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all
        "First you call Amazon and tell them you are the account holder, and
         want to add a credit card number to the account. All you need is the
         name on the account, an associated e-mail address, and the billing
         address. "
	...
Cache (8192 bytes)
www-106.ibm.com/developerworks/linux/library/l-keyc2 -> www-106.ibm.com/developerworks/linux/library/l-keyc2/
Linux | 10 Open source projects 11 developerWorks Common threads: OpenSSH key management, Part 2 12 85KB 13 e-mail it! One of OpenSSH's more intriguing features is its ability to authenticate users using the RSA and DSA authentication protocols, which are based upon a pair of complementary numerical "keys". One of the main appeals of RSA and DSA authentication is the promise of being able to establish connections to remote systems without supplying a password. In this second article, Daniel introduces ssh-agent (a private key cache) and keychain, a special bash script designed to make key-based authentication incredibly convenient and flexible. With ssh-agent you simply use ssh-add to add your private keys to ssh-agent's cache. Using ssh-agent Let's take a look at how this whole ssh-agent key caching system works. When ssh-agent starts up, it spits out a few important environment variables before detaching from the shell and continuing to run in the background. Due to the included export commands, these environment variables would be made available to any additional commands run later. Well, all that would happen if these lines were actually evaluated by the shell, but right now they're simply printed to stdout. To fix this, we can invoke ssh-agent in the following way: eval ssh-agent This command tells bash to run ssh-agent and then evaluate ssh-agent's output. Invoked this way (with back-quotes, not normal single quotes), the SSH_AGENT_PID and SSH_AUTH_SOCK variables get set and exported by your shell, making these variables available to any new processes you may start during your login session. The environment variable of particular importance is SSH_AUTH_SOCK; Using ssh-add But of course, ssh-agent starts up with an empty cache of decrypted private keys. Before we can really use ssh-agent, we first need to add add our private key to ssh-agent's cache using the ssh-add command. Limitations of ssh-agent ssh-agent is really cool, but its default configuration still leaves us with a few minor inconveniences. If you only open a single terminal or console on your system, this is no big deal, but most of us open quite a few terminals and need to type in our passphrase every single time we open a new console. Technically, there's no reason why we should need to do this since a single ssh-agent process really should suffice. Another problem with the default ssh-agent setup is that it's not compatible with cron jobs. Since cron jobs are started by the cron process, they won't inherit the SSH_AUTH_SOCK variable from their environment, and thus won't know that a ssh-agent process is running or how to contact it. Enter keychain To solve these problems, I wrote a handy bash-based ssh-agent front-end called keychain. What makes keychain special is the fact that it allows you to use a single ssh-agent process per system, not just per login session. This means that you only need to do one ssh-add per private key, period. As we'll see in a bit, keychain even helps to optimize the ssh-add process by only trying to add private keys that aren't already in the running ssh-agent's cache. However, the result is the same -- our ever-important SSH_AUTH_SOCK is defined, and ssh-agent is running and ready for use. First, head over to the 28 keychain project page and download the most recent available version of the keychain source archive. Now, if you log out and log back in again, you'll find that keychain will find the existing ssh-agent process; In addition, keychain will verify that the private key you specified are already in ssh-agent's cache. If not, then you'll be prompted for the appropriate passphrases, but if all goes well, your existing ssh-agent will still contain the private key that you previously added; In fact, as long as your initial ssh-agent process keeps running, you'll be able to log in and establish ssh connections without supplying a password. And it's very likely that your ssh-agent process will continue to run until the machine is rebooted; Welcome to the world of secure, passwordless connections using RSA and DSA authentication. Go ahead and create several new login sessions, and you'll see that keychain will "hook in" to the exact same ssh-agent process each time. Don't forget that you can also get your cron jobs and scripts to "hook in" to the running ssh-agent process. Keychain options After you have keychain up and running, be sure to type keychain --help to familiarize yourself with all of keychain's command-line options. We're going to take a look at one in particular: the --clear option. You'll recall that in 29 Part 1, I explained that using unencrypted private keys is a dangerous practice, because it allows someone to steal your private key and use it to log in to your remote accounts from any other system without supplying a password. Well, while keychain isn't vulnerable to this kind of abuse (as long as you use encrypted private keys, that is), there is a potentially exploitable weakness directly related to the fact that keychain makes it so easy to "hook in" to a long-running ssh-agent process. What would happen, I thought, if some intruder were somehow able to figure out my password or passphrase and log into my local system? If they were somehow able to log in under my username, keychain would grant them instant access to my decrypted private keys, making it a no-brainer for them to access my other accounts. Now, before I continue, let's put this security threat in perspective. If some malicious user were somehow able to log in as me, keychain would indeed allow them to access my remote accounts. Yet, even so, it would be very difficult for the intruder to steal my decrypted private keys since they are still encrypted on disk. Also, gaining access to my private keys would require a user to actually log in as me, not just read files in my directory. Nevertheless, if an intruder were successfully able to log in as me, they could do quite a bit of additional damage by using my decrypted private keys. So, if you happen to be using keychain on a server that you don't log into very often or don't actively monitor for security breaches, then consider using the --clear option to provide an additional layer of security. The --clear option allows you to tell keychain to assume that every new login to your account should be considered a potential security breach until proven otherwise. When you start keychain with the --clear option, keychain immediately flushes all your private keys from ssh-agent's cache when you log in, before performing its normal duties. Thus, if you're an intruder, keychain will prompt you for passphrases rather than giving you access to your existing set of cached keys. However, even though this enhances security, it does make things a bit more inconvenient and very similar to running ssh-agent all by itself, without keychain. Here, as is often the case, one can opt for greater security or greater convenience, but not both. Despite this, using keychain with --clear still has advantages over using ssh-agent all by itself; Since a logout from the system does not constitute a potential security breach, there's no reason for keychain to respond by flushing ssh-agent's keys. Thus, the --clear option an ideal choice for infrequently accessed servers that need to perform occasional secure copying tasks, such as backup servers, firewalls, and routers. Now that the OpenSSH key management series is complete, you should be very familiar with RSA and DSA keys and know how to use them in a convenient yet secure way. Be sure to also check out the following resources: Resources * Read 30 Part 1 and 31 Part 3 of Daniel's series on OpenSSH key management on developerWorks. The 37 Authors' site contains information about the book, a FAQ, news, and updates. He has also served as a contributing author for the Macmillan books Caldera OpenLinux Unleashed, SuSE Linux Unleashed, and Samba Unleashed. Daniel has been involved with computers in some fashion since the second grade, when he was first exposed to the Logo programming language as well as a potentially dangerous dose of Pac Man. This probably explains why he has since ...