Ubuntu server remote file access

Paul Smith paul at mad-scientist.net
Mon Sep 30 18:49:16 UTC 2013 

On Mon, 2013-09-30 at 13:39 -0400, Kent Borg wrote:
> On 09/30/2013 01:22 PM, Paul Smith wrote:
> > Of course there are many uses for passphrase-less keys.  They provide a
> > convenience of unattended remote access, with at least some amount of
> > security.  They're equivalent, authentication-wise, to writing a script
> > containing the password needed to log in remotely, only ssh/scp are far
> > more convenient than telnet/ftp (and they encrypt traffic, but that's
> > not an authentication feature).
> 
> A way to get some of the convenience of a key with no passphrase, but 
> without being as wide open as a clear-text password in a script file, is 
> to use ssh-agent.  You authenticate with it once and then just type ssh 
> or scp or whatever.

Yes, ssh-agent can make things a lot more convenient, especially if you
have strong (e.g. long/complicated) passphrases on your keys.  It's even
nicer today since ssh-agent is integrated right into virtually every
desktop (since ssh-agent is designed to respond only to its own child
processes, and their children etc... although this is circumventable).

It definitely increases the attack surface of your system and reduces
the security of your private key though: anyone who can log into your
system with appropriate permissions can ask the agent for the
un-encrypted private key [1].  Also, if you have agent forwarding
enabled then in some situations people on remote systems that you're
logged into with SSH can access your private key through the agent.

There are, of course, various steps you can take to mitigate this.

Also if you're relying on ssh-agent for automated procedures such as
backup then you need to be logged in and your passphrase entered into
the agent, otherwise your backups etc. are not being performed, which
may not be acceptable.  For a desktop/personal system it's likely OK,
but for servers probably not.


[1] Of course if they have this much privilege they could probably do
simpler things, like induce you to run a version of the "ssh" command
that captures the passphrase, or something.

More information about the ubuntu-users mailing list