Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
This is most likely not possible, but I'm just asking this to check... I'm just thinking out loud here...
So, SSH keys are very useful for logging into a server. Use SSH, and your SSH keys increase security to the server while also making it easier to manage several servers or other programs with one SSH key. Also, by unlocking the key when you login, there is even less need to type the password over and over again. So, I was wondering... is there a way to use SSH keys for website user verification? I am not talking about large, public websites, but about small, controlled systems that are used by specific users whose OS/browser can be controlled. Is there a way to integrate this? For this to work I assume the private key would need to be transferred over the web, so let's say we have SSL running to make this not insecure. Is such a thing possible? In an ideal situation, I log in to a website and it will see that my private key matches the public key that is installed, and voilá, I'm in!
It's called a client certificate, and you import it into your browser.
From technical point of view SSH keys represent public key cryptography scheme, and this is what X.509 certificates do in SSL. So what you need is certificates (client-side one if you want to authenticate the client on the server).
And no, private keys are never transferred across the net. They are used in certain operations for exchange of session key.
AuthUserFile /home/hafizni/.htpasswd
AuthGroupFile /home/hafizin/.htgroup
AuthName hafizin page
AuthType Basic
require group my-users
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
What is TLS and why do we need it. Can someone explain to me what roles does it play in Kubernetes?
What will happen if I don't use it? Can someone explain it to me with an example?
Thank you for your time.
What is TLS and why do we need it?
TLS definition from wikipedia:
The TLS protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications [...]
TLS supports many different methods for exchanging keys, encrypting data, and authenticating message integrity.
What roles does it play in Kubernetes?
It is used by k8s control plane for encrypting data in trasit. Encryption in transit protects your data if communications are intercepted while data moves between client and server. In case of k8s, e.g. kubelet or controller manager are usually clients and api-server is considered a server.
What will happen if I don't use it?
I am not sure if you can do this (not use it). I think its use is enforced by k8s components. All you can do is to ignore certificate validation.
But let's imagine for now that you managed to bootstrap a cluster without tls and all communcation is now plaintext based (meaning there is no encryption). Now if I manage to intercept the communication, I (malicious actor) can see what you are sending to the cluster. And since there is no mechanism to enforce data integrity, I can change this data to anything I want and pass it forward. You would have no way to check if you are exchanging data with the cluster or with me and if I am altering the data, adding malicious code or else.
Additionally, tls certificates are used by k8s components for authentication purpouses. This means that e.g. in order for kubelet to join the cluster it needs to prove that it is allowed to do this by showing it has a valid certificate, signed by known authority (this usually means selfsigned). You woudln't be able to verify that the kubelet is yours and that is's not some malicious kubelet I joined to your cluster.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
I'm about to connect to a remote using SSH but I'm lost at doing this. I thought I get it but I'm not be been able to connect.
The client provided me the following information via email (I have no control of the remote site and I'm not the admin)
.pub file
SSH password
SSH username
Key type: DSA
Key Size: 1024
Hostname
I'm assume its port 22 (default for SSH). I remember some months ago I was able to connect with:
ssh -i /path_to_key_file username#remotehost.com
But this will work if its a private key file right? Do I have the right information to connect? What are the steps to connect successfully via a command line?
You either have public and private key or you login with username and password. Seeing that you received a public key file it's likely that you have to use key authentication to login. For that you'll need a private key of course.
But since your client also sent you a login and password you could try logging in without key authentication.
In short: your client is probably not completely comfortable with configuring shhd...
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
Using OpenVPN, I can enable 2-way authentication with certificates, private keys and a CA-certificate.
In my understanding, this only provides authentication (the client is, who he says he is) but not authorization (access control). OpenVPN just assumes that a valid authentication is also an access authorization.
If I now run a second VPN server, using the same CA, will the clients of the first also have access to the second VPN?
If I want to avoid this - clients with keys/certs for the first VPN server should not be able to access the second VPN server (and reverse) - what are my options?
use a different CA for each server (ugly in my opinion)
use an access control list based on the common name (CN) (not so practical)
use firewall / iptables (not so practical)
Am I missing a way to somehow limit access of a certain client to a certain server?
Citing Jan Just Keijser from the OpenVPN forum
openvpn provides authentication, not access control (authorization), nor should it, in my opinion. The options you mention are the only options you have, unless you also want to throw in username+password control.
you could use a sub-CA (intermediary CA) ; each client cert would be signed by a specific sub-CA ; the clients need only the "root" CA to connect to a server, but the servers can allow access based on the sub-CA used for a client.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
According to http://en.wikipedia.org/wiki/Secure_Shell#Key_management, ssh is vulnerable to "man-in-the-middle" attack when establishing the first connection with server.
SSH also supports password-based authentication that is encrypted by automatically generated keys. In this case the attacker could imitate the legitimate side, ask for the password and obtain it (man-in-the-middle attack). However this is only possible if the two sides have never authenticated before, as SSH remembers the key that the remote side once used.
Does VPN suffer from the same "weakness"?
If VPN server is authenticated using the key which is known to the client, then there's no problem - the key is already known (and supposedly trusted) and the client can be sure that it has connected to the legitimate server.
The same applies to SSH. Wording in wikipedia is not exactly correct - for the first connection to be reliable the client should know the valid server key. It's not important if "they have authenticated before". It's important that the client trusts the key.
How can the key be trusted on the client? When X.509 certificate is used in SSL/TLS, it's validated according to sophisticated rules and the certificate chain is built up to the trusted root certificate. If the chain can't be built, then the end-entity certificate is not trusted. In SSH there are no certificate chains and the only way the client can trust the server is when the client has server's key transferred using some other mechanism (voice call or paper or USB stick or separate SSL/TLS connection, whatever).
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Is there any way to execute a ssh connection with out use interactive password autentification and non public keys, I need too run a command in the remote server all this with out manual intervention, I know that i can use a script but I don´t have any example. The application will be running in different machines so it's a bit hard creating a key public for every machine.
Everything is possible with the right configurations, but there are some security points to consider.
You certainly don't want everyone on the net to be able to execute any command on your server. So simply allowing everything is not a good idea.
Everyone who has your application on a computer in her control can do everything what your application can do ... and maybe more, if the application has limits only build in itself, not the server side.
You can distribute a private key with your application (and pass to SSH on connection), but of course then anyone having the application can extract this key. (If the application can access it, so can do any attacker who has control over it.)
You could also distribute a password with your application and somehow pass it to ssh, but still, in principle anyone who has the application can get the password.
If there is always the same command to be executed (maybe with different inputs), you can force this specific command at the server-side - for example, for a specific public key in the authorized_keys file. Or you could create a SSH subsystem and only allow this by server configuration.
On the server side, you can put additional limits by IP address or host name, but this is not really secure (IP adresses can be faked, for example). If the computers on which the application is to be run have already existing SSH installations, they should have host keys, and maybe you can do host authentication. But this is still only really useful if these hosts are under your control, more or less.
For security issues, a password (if you don't use a certificate) will always asked to you interactively, unless you configure server in an advanced way.
You can use a certificate, by inserting password one time.
Take a look at this
On debian, a tool exists for this and it's called sshpass (a noninteractive ssh password provider)
It comes with lots of warnings and caveats though! Be sure you assess the risks properly before continuing down this path...