SSH-Agent: Logins Revisted

We've had discussions and articles on MacResearch about secure shell (SSH) and ways to use it to simplify tasks on remote systems. Drew recently discussed password-less ssh as an example of how to simplify connections to various remote systems. While doing some reading last night about encryption (for an application I am writing) I ran across a blog entry by Dave Dribin about another utility ssh-agent.

ssh-agent is a daemon that acts as a proxy for ssh. Typically when you connect to a remote system using password-less methods, you place your public key in a file on the remote host. The issue that arises in these cases is that if someone obtains access to your system, they can then jump from your machine to others without knowing the password on the remote system. ssh-agent mitigates this by requiring you to add your private key to the ssh-agent requiring you to type your password at least once (this is an important point). From then on, ssh-agent will serve up your authentication information everytime you type ssh in a given session. Caveats apply, of course.

Of course before going down any route that "simplifies" a security model, it's important to understand not only how the method works, but any important considerations in its implementation. Dave's blog entry discusses some of these and references other articles that provide more information on the implementation.

I want to point out a couple of things. First, if someone actually breaks into your system the old fashioned way (I mean a concerted effort to crack your password), then most likely they will have all of the information needed to gain access to your other systems. Why? Well, most people use the same password on all of the systems they connect to (or have centralized accounts).

Second, often a route into a system is when it's stolen, a reasonably intelligent thief will realize that with the right tools you can gain access to the system and ultimately user files by a few simple procedures. So just because the POSIX permissions on your folder deny access, doesn't mean that someone still can't gain access to them. Their are facilities built into OS X to help mitigate this (FileVault for example).

Finally, regarding knowing what systems to attempt to access remotely (when jumping from system to system), any thief, hacker, script-kiddie worth his weight in NaCl, knows that you keep a trail in your known_hosts file every time you connect to a remote system and type 'yes' when the authenticity of the host can't be confirmed:

The authenticity of host ' (' can't be established.
RSA key fingerprint is 46:71:99:d3:9c:ae:2f:87:d8:cd:81:27:ac:5a:a5:1a.
Are you sure you want to continue connecting (yes/no)?

And what do most of us do? Type yes. Why? Because we want to connect to the system. There is a great article on host key verification here that talks about how host keys work and how to verify they are correct.

And of course, make sure all of your accounts actually have passwords on them. Please.

Ok... all of this aside, security is an important part of computing, but it's important not to become too paranoid. When the barrier to doing work (or playing) becomes so high that it's impossible to actually get anything meaningful done, then there is no point. And let's face it MOST of us MacResearchers aren't dealing with nuclear weapons or top secret information. But taking basic precautions and understanding how security works on your systems will greatly reduce the risk of exposure and unauthorized access to your personal files and data.


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.


There's a really cool app (free as in beer) called sshkeychain that'll let you store your private key challenge phrase in osx's keychain and will utilize ssh-agent as well. I work at a datacenter with a ton of machines and now I can feel safe knowing not only does my private key have a challenge phrase but I don't have to type in my passphrase everytime I connect to a box.