undefined | Better HN

0 pointsduskwuff15y ago0 comments

> There is no plaintext passphrases stored anywhere...

Sure there are - in the config file, and in the command line.

  59: `ssh-keygen -q -f ~/.ssh/id_{$server['type']} -t {$server['type']} -N '{$server['remote_pass']}'`;
  71: $server['conn']->shell("ssh-keygen -q -f ~/.ssh/id_{$server['type']} -t {$server['type']} -N '{$server['remote_pass']}'");

It gets even better - if you forgot to set REMOTE_PASS in the config file, it defaults to empty, and you end up with a passwordless key on most of your machines:

  39: $_SERVERS[$k]['remote_pass'] = ($_SERVERS[$k]['remote_pass']) ? $_SERVERS[$k]['remote_pass'] : '' ;

Even if you're only copying keys "to and from the localhost", you've still just given all your servers access -- likely without a password -- to your desktop computer.

59: `ssh-keygen -q -f ~/.ssh/id_{$server['type']} -t {$server['type']} -N '{$server['remote_pass']}'`; 71: $server['conn']->shell("ssh-keygen -q -f ~/.ssh/id_{$server['type']} -t {$server['type']} -N '{$server['remote_pass']}'");

0 comments

3 comments · 1 top-level

a904guy15y ago· 2 in thread

When you run ssh-keygen it creates the two keys, public and private, neither contain the 'plaintext' passphrase in your home directory like you mentioned. The only concern may be bash history, I'll include a wipe for that. Secondly, even while being transmitted using SSH they are NOT in plain-text. As the SSH connection itself is encrypted, so while executed in plaintext, the password is NOT stored in plain text, or transmitted in plaintext as identified by those commands.

Finally, the remote_password being blank is by design, passwordless keys are less of a security threat than any weak user supplied password. They serve their purpose in the real world amongst private networks.

EDIT for 'and in the command line.': Reviewing the command history doesn't show the libssh2 or php5 commands being executed on either BSD or debian.

EDIT for your comment 'in the config file': If your suggesting that the software is insecure by the fact that the user leaves the config file after usage, then perhaps that user should be allowed in the environment to begin with.

zwp15y ago

The command, including password, is also visible in the process table. Some unices limit visibility of other users' processes but many do not.

a904guy15y ago

... well. Since we are going deep down the rabbit hole. So your machines other users are potentially a threat. Considering that the folder and contents are chmod 600. Only the owning user and root can see them. The key pass is pointless without the key files.

While we are on the subject. Lets dig deeper on this situation. Whats stopping your rouge user on the same box (that can dump the proc table while ssh-keygen is executing in ms) from dumping the ram to extract the stdin password typed out by keyboard then?

If you already have fear of a user INSIDE your box. SSH keys should be the least of your concerns.

2 more replies

j / k navigate · click thread line to collapse