Ubuntu server remote file access

Pete Smout smoutpete at gmail.com
Mon Sep 30 17:39:39 UTC 2013 

@google hope you enjoyed reading this, It had nothing to do with you!
sent from my HTC.
On Sep 30, 2013 6:23 PM, "Paul Smith" <paul at mad-scientist.net> wrote:
>
> On Mon, 2013-09-30 at 12:48 -0400, Hal Burgiss wrote:
>
>
> > On Mon, Sep 30, 2013 at 12:14 PM, Paul Smith <paul at mad-scientist.net>
wrote:
> >         On Mon, 2013-09-30 at 17:06 +0100, Colin Law wrote:
> >         > On 30 September 2013 16:55, Kent Borg <kentborg at borg.org>
wrote:
> >         > > On 09/29/2013 10:48 AM, Hal Burgiss wrote:
> >         > > On Sat, Sep 28, 2013 at 2:17 PM, Kent Borg <
kentborg at borg.org> wrote:
> >         > >> Yes, private keys are encrypted--if you encrypt them.  So
if someone has
> >         > >> your private key, they still need to break any encryption.
> >         > >
> >         > > Huh?
> >         > >
> >         > > You sound confused.  What part don't you get?
> >         >
> >         > If someone has your private key then they have your private
key.
> >         > There is no encryption that they need to break.
>
> >         I'm sure that Kent is assuming that you've added a passphrase
to your
> >         private key; anyone who cares about the security of their
private key
> >         will certainly do this.
> >
> >         If the key has a passphrase then just having the key file won't
help,
> >         you also must have, or be able to guess, the passphrase.
>
>
> > That's a passphrase, unrelated to "encryption". All ssh keys (public
> > and private) are *encrypted*  when they are created using dsa, rsa,
> > and probably other options as well. The man page seems to make this
> > perfectly clear. If for some reason, you add any additional encryption
> > (which is how I am understanding Kent's comment), then they would not
> > be usable as-is by sshd.
>
> I don't understand the distinction you're trying to make here, and I
> don't think I agree with your terminology.
>
> A (passphrase-less) private key is not "encrypted".  A private key is,
> basically, a mathematical value which can be fed into a deterministic
> algorithm.  It is used to perform encryption and decryption, but it,
> itself, is not encrypted.  It can be considered to be "encoded", since
> the binary value is translated into a long string of hex digits for
> convenient storage and distribution, but it's not encrypted since it can
> be used directly without needing to be combined with any other
> information.
>
> A private key file with a passphrase is encrypted: getting a copy of the
> key file alone won't let you use it.  The contents of the file must be
> processed with the passphrase as input in order to change it back into a
> usable file.  Just like any other encrypted file.
>
> > And passphrases completely break unattended processes that some of us
> > need to do (ie for system to system backups, etc).
>
> Of course there are many uses for passphrase-less keys.  They provide a
> convenience of unattended remote access, with at least some amount of
> security.  They're equivalent, authentication-wise, to writing a script
> containing the password needed to log in remotely, only ssh/scp are far
> more convenient than telnet/ftp (and they encrypt traffic, but that's
> not an authentication feature).
>
> However one should not imagine that those are any more secure than your
> local disk.  I create different keys for this kind of access and I'd
> NEVER use those for any other purpose.  All the keys I use for
> interactive access to other servers always have a strong passphrase.
>
> > In fact, sshd creates system passphraseless public/private key pairs
> > during installation in /etc/ssh. These are courtesy of Ubuntu and ssh
> > maintainers.
>
> Those are host keys.  They have a completely different purpose: they're
> there to avoid man-in-the-middle attacks (to prove that the server
> you're talking to is the one that you think it is).  Only the SSH daemon
> needs to read those private keys so they're owned by, and readable only
> by, root on the server.  If an attacker can read those key files then
> they already have root access to the server and you've already lost.
>
> You should never use host keys as normal public/private keys for user
> accounts, not even root.
>
>
> Cheers!
>
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Thanks for you clarity! I've been following this thread with interest, as I
am currently setting up a home media server, and I was thinking
(tentatively) of allowing remote access from selected locations, and I was
getting a bit jargon hazed!

Pete s
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20130930/26935d41/attachment.html>

More information about the ubuntu-users mailing list