GentooOpenSSH key management Part 3.docx
- 文档编号:26249812
- 上传时间:2023-06-17
- 格式:DOCX
- 页数:11
- 大小:69.02KB
GentooOpenSSH key management Part 3.docx
《GentooOpenSSH key management Part 3.docx》由会员分享,可在线阅读,更多相关《GentooOpenSSH key management Part 3.docx(11页珍藏版)》请在冰豆网上搜索。
GentooOpenSSHkeymanagementPart3
Disclaimer:
TheoriginalversionofthisarticlewasfirstpublishedonIBMdeveloperWorks,andispropertyofWesttechInformationServices.Thisdocumentisanupdatedversionoftheoriginalarticle,andcontainsvariousimprovementsmadebytheGentooLinuxDocumentationteam.
Thisdocumentisnotactivelymaintained.
OpenSSHkeymanagement,Part3
窗体顶端
Content:
窗体底端
1. Agentforwardingandkeychainimprovements
ManyofususetheexcellentOpenSSHasasecure,encryptedreplacementforthevenerabletelnetandrshcommands.OneofOpenSSH'smoreintriguingfeaturesisitsabilitytoauthenticateusersusingtheRSAandDSAauthenticationprotocols,whicharebasedonapairofcomplementarynumerical"keys."OneofthemainappealsofRSAandDSAauthenticationisthepromiseofbeingabletoestablishconnectionstoremotesystemswithoutsupplyingapassword.Formorebackground,seethepreviousinstallmentsofthisseriesonOpenSSHkeymanagement,whichcoverRSA/DSAauthentication(Part1)andssh-agentandkeychain(Part2),respectively.
SincePart2waspublishedondeveloperWorksinSeptember2001,andlaterreferencedonSlashdotandFreshmeat(seeResourceslaterinthisarticleforlinkstothesesites),alotofpeoplehavestartedusingkeychain,andit'sundergonealotofchanges.I'vereceivedapproximately20orsohigh-qualitypatchesfromdevelopersaroundtheworld.I'veincorporatedmanyofthesepatchesintothekeychainsource,whichisnowatversion1.8(seeResources).Isendmysincerethankstoallthosewhosubmittedpatches,bugreports,featurerequests,andnotesofappreciation.
Tighteningsshsecurity
Inmylastarticle,I'vespentsometimediscussingthesecuritybenefitsandtradeoffsofrunningssh-agent.AfewdaysafterthesecondarticleappearedondeveloperWorks,Ireceivedane-mailfromCharlesKarneyofSarnoffCorporation,whopolitelyinformedmeofOpenSSH'snewauthenticationagentforwardingabilities,whichwe'lltakealookatinabit.Inaddition,Charlesemphasizedthatrunningssh-agentonuntrustedmachinesisquitedangerous:
ifsomeonemanagestogetrootaccessonthesystem,thenyourdecryptedkeyscanbeextractedfromssh-agent.Eventhoughextractingthekeyswouldbesomewhatdifficult,itiswithintheskillofprofessionalcrackers.Andthemerefactthatprivatekeytheftispossiblemeansthatweshouldtakestepstoguardagainstithappeninginthefirstplace.
Toformulateastrategytoprotectourprivatekeys,wemustfirstputthemachinesweaccessintooneoftwocategories.Ifaparticularhostiswell-securedorisolated--makingsuccessfulrootexploitagainstitquiteunlikely--thenthatmachineshouldbeconsideredatrustedhost.If,however,amachineisusedbymanyotherpeopleoryouhavesomedoubtsaboutthesecurityofthesystem,thenthemachineshouldbeconsideredanuntrustedhost.Toguardyourprivatekeysagainstextraction,ssh-agent(andthuskeychain)shouldneverberunonanuntrustedhost.Thatway,evenifthesystem'ssecurityiscompromised,therewillbenossh-agentaroundfortheintrudertoextractkeysfrominthefirstplace.
However,thiscreatesaproblem.Ifyoucan'trunssh-agentonuntrustedhosts,thenhowdoyouestablishsecure,passwordlesssshconnectionsfromthesesystems?
Theansweristoonlyusessh-agentandkeychainontrustedhosts,andtouseOpenSSH'snewauthenticationforwardingabilitiestoextendpasswordlessauthenticationtoanyuntrustedhosts.Inanutshell,authenticationforwardingworksbyallowingremotesshsessionstocontactanssh-agentrunningonatrustedsystem.
Authenticationagentforwarding
Togetanideaofhowauthenticationforwardingworks,let'sfirsttakealookatahypotheticalsituationwhereuserdrobbinshasatrustedlaptopcalledlappy,atrustedservercalledtrustbox,andtwootheruntrustedsystemsthathemustaccess,callednotrust1andnotrust2,respectively.Currently,heusesssh-agentalongwithkeychainonallfourmachines,asfollows:
Figure 1.1:
ssh-agentrunningontrustedanduntrustedmachines
Theproblemwiththisapproachisthatifsomeonegainsrootaccessonnotrust1ornotrust2,thenitisofcoursepossibleforthispersontoextractkeysfromthenowvulnerablessh-agentprocess.Tofixthis,drobbinsstopsrunningssh-agentandkeychainonuntrustedhostsnotrust1andnotrust2.Infact,tobeevenmorecareful,drobbinsdecidestoonlyusessh-agentandkeychainonlappy.Thislimitsexposureofhisdecryptedprivatekeys,protectinghimagainstprivatekeytheft:
Figure 1.2:
ssh-agentrunningonlyonlappy;amoresecureconfiguration
Ofcourse,theproblemwiththisapproachisthatdrobbinscannowonlyestablishpasswordlessconnectionsfromlappy.Let'sseehowtoenableauthenticationforwardingandgetaroundthisproblem.
AssumingthatallmachinesarerunningrecentversionsofOpenSSH,wecangetaroundthisproblembyusingauthenticationforwarding.Authenticationforwardingallowsremotesshprocessestocontactthessh-agentthatisrunningonyourlocaltrustedmachine--ratherthanrequiringaversionofssh-agenttoberunningonthesamemachinethatyouaresshingoutfrom.Thisusuallyallowsyoutorunssh-agent(andkeychain)onasinglemachine,andmeansthatallsshconnectionsthatoriginate(eitherdirectlyorindirectly)fromthismachinewilluseyourlocalssh-agent.
Toenableauthenticationforwarding,weaddthefollowinglinetolappyandtrustbox's/etc/ssh/ssh_config.Notethatthisistheconfigfileforssh(ssh_config),notthesshdaemonsshd(sshd_config):
CodeListing 1.1:
Addthislinetoyour/etc/ssh/ssh_config
ForwardAgentYes
Now,totakeadvantageofauthenticationforwarding,drobbinscanconnectfromlappytotrustbox,andthenfromtrustboxtonotrust1withoutsupplyingpassphrasesforanyoftheconnections.Bothsshprocesses"tapin"tothessh-agentrunningonlappy:
CodeListing 1.2:
Tappinglappy
$sshdrobbins@trustbox
Lastlogin:
WedSep2613:
42:
082001fromlappy
Welcometotrustbox!
$sshdrobbins@notrust1
Lastlogin:
TueSep2512:
03:
402001fromtrustbox
Welcometonotrust1!
$
Ifyoutryasimilarconfigurationandfindthatagentforwardingisn'tworking,tryusingssh-Ainsteadofplainoldsshtoexplicitlyenableauthenticationforwarding.Here'sadiagramofwhatwentonbehindthesceneswhenweloggedintotrustboxandnotrust1usingauthenticationforwarding,above:
Figure 1.3:
Agentforwardinginaction
Asyoucansee,whensshconnectedtotrustbox,itmaintainedaconnectiontothessh-agentrunningonlappy.Whenansshconnectionwasmadefromtrustboxtonotrust1,thisnewsshprocessmaintainedtheauthenticationconnectiontothepreviousssh,effectivelyextendingthechain.Whetherthisauthenticationchaincanbeextendedbeyondnotrust1tootherhostsdependsonhownotrust1's/etc/ssh/ssh_configisconfigured.Aslongasagentforwardingisenabled,allpartsofthechainwillbeabletoauthenticateusingthessh-agentrunningonthetrustedlappy.
Advantagesofagentconnectionforwarding
Authenticationforwardingoffersanumberofsecurityadvantagesnottouchedonhere.Toconvincemeoftheimportanceofagentconnectionforwarding,CharlesKarneysharedwithmethesethreesecurityadvantages:
1.Theprivatekeyisstoredonlyonthetrustedmachine.Thispreventsmalicioususersfromgrabbingyourencryptedkeyfromdiskandattemptingtocracktheencryption.
2.ssh-agentrunsonlyonthetrustedmachine.Thispreventsanintruderfromdoingamemorydumpofaremotessh-agentprocessandthenextractingyourdecryptedprivatekeysfromthedump.
3.Sinceyouonlyneedtotypeinthepassphraseonyourtrustedmachine,youpreventanykeystrokeloggersfromstealthilygrabbingyourpassphraseasitisentered.
Theonedrawbacktorelyingonauthenticationagentconnectionforwardingisthatitdoesn'tsolvetheproblemofallowingcronjobstotakeadvantageofRSA/DSAauthentication.OnesolutiontothisproblemistosetupallcronjobsthatneedRSA/DSAauthenticationsothattheyexecutefromatrustedmachineonyourLAN.Ifnecessary,thesecronjobscanusesshtoconnecttoremotesystemstoautomatebackups,synchronizefiles,andsoon.
Nowthatwe'velookedatauthenticationagentconnectionforwarding,let'sturntorecentimprovementsmadetothekeychainscriptitself.
Keychainfunctionalityimprovements
Thankstouserpatchsubmissions,manysignificantimprovementshavebeenmadetothekeychainsource.Severaloftheuser-submittedkeychainpatcheswerefunctionality-related.Forexample,you'llrecallthatkeychaincreatedan~/.ssh-agentfile;thenameofthisfilehasnowbeenchangedto~/.ssh-agent-[hostname]sothatkeychainworkswithNFS-mountedhomedirectoriesthatmaybeaccessedfromseveraldifferentphysicalhosts.Inadditiontothe~/.ssh-agent-[hostname]file,thereisnowa~/.ssh-agent-csh-[hostname]filethatcanbesourcedbycsh-compatibleshells.Finally,anew--nocoloroptionhasbeenaddedsothatcolorizationfeaturescanbedisabledifyouhappentobeusinganon-vt100-compatibleterminal.
Shellcompatibilityfixes
Whilethefunctionalityimprovementshavebeensignificant,thevastmajorityoffixeshavedealtwithshellcompatibilityissues.Yousee,whilekeychain1.0requiredbash,laterversionswerechangedtoworkwithanysh-compatibleshell.Thischangeallowskeychaintowork"outofthebox"onnearlyanyUNIXsystem,includingLinux,BSD,Solaris,IRIX,andAIXaswellasotherUNIXplatforms.WhilethetransitiontoshandgeneralUNIXcompatibilityhasbeenabumpyride,ithasalsobeenatremendouslearningexperience.Creatinga
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- GentooOpenSSH key management Part