Hack:   Quick Logins with ssh Client Keys
Subject:   Don't use plaintext keys for interactive logins
Date:   2003-04-07 09:43:31
From:   anonymous2
There's no reason to use a plaintext (passwordless) key for interactive logins, ever. Despite what the author says, a passwordless key is NOT "the same" level of security as a password, since the key sits ON DISK, unencrypted, and a password does not. A better analogy would be putting your sensitive login password into a file named "StealMe.txt". Instead, use a strong passphrase and run ssh-agent to avoid the need to type passwords. For interactive use, this is a far better solution: now an attacker would need TWO secrets (your key and your passphrase) to impersonate you, and you still get passwordless logins.

Also the method of transferring your public key to the server (scp .ssh/id_rsa.pub server:.ssh/authorized_keys2) is not good. Keys should be *appended* to the file, not overwrite the file, in case the file exists. (Yes, I know this hack is just for setting up your first key, but a novice might easily repeat the command, overwriting an existing key file.) Finally, authorized_keys2 is deprecated in favor of authorized_keys in recent versions of OpenSSH. (And of course you should always run a recent version of an important security product like this.)

Full Threads Oldest First

Showing messages 1 through 3 of 3.

  • Novice - almost caught by existing authorized_keys2
    2003-12-30 22:32:09  anonymous2 [View]

    I'm a novice, and tried to use this command today.

    Fortunately, I remembered at the last moment that the consultant who had set up my system had an existing keyring. I went in and looked prior to running the command. Sure enough - there was authorized_keys2 just setting there, waiting to be overwritten.

    But now I'm screwed, because the hack doesn't tell me - a novice - how to append the key onto the existing key. And I'm afaid to just go scp .ssh/id_rsa.pub >> server:.ssh/authorized_keys2 in case it doesn't work right, and I screwup my existing file.


    Plus what's this about authorized_keys2 itself being depreciated? I thought this was a new book?! I would have assumed we'd be getting the very latest in technology.

    Can someone (in desending priority order) please:

    a: give me the command to safely append to the existing authorized_key2 file,
    b: point me to how I can create a key-pair I can split between Linux and Windows, so I can use this trick with PuTTY to connect from Windows to my Linux servers, and
    c: if we shouldn't be using authorized_key2 because its depreciated, correct the hack to the proper usage, and tell me how to fix my current authorized_key2 configuration to the proper usage/configuration.

    Thank you very much.
    • Novice - almost caught by existing authorized_keys2
      2005-09-08 14:04:31  timlewis1 [View]

      You can append your key as follows, substitute relevant values for userid and hostname.

      $ cat ~/.ssh/id_rsa.pub | ssh -l userid hostname "cat - >>.ssh/authorized_keys2"
    • Novice - almost caught by existing authorized_keys2
      2005-03-11 14:24:38  rodlinux [View]

      I tried this with solaris. I scp using the reccomended file. But then I did:

      cat authorized_keys2 >> authorized_keys

Showing messages 1 through 3 of 3.