Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Using key-pairs with cron

from [Daniel Persson] Network Security [Permanent Link]
Subject: Re: Using key-pairs with cron
Date: Sat, 5 Feb 2005 20:22:15 +0100 
Well using a cron or other process to do the updates aint the best
solution but if one have to then maybe you could make a program that
you run though cron that only uses a preset password and commits
changes via the key files with the password. In this case you could
hide the password somewhat but I still think if anyone where to gase
upon the files and had some knowledge about different concepts he/she
could probebly hack the solution anyway. The only way though this is
to use the keyphrases manually and you would be the only one to know
them and use them. But even in that case someone could intercept the
communication and sniff the password if they really cared. So the
thing you really have to ask yourself is how many layers of security
do you need?

best regards

On Fri, 4 Feb 2005 11:28:28 -0800, Bill Moseley <moseley@hank.org> wrote:

I'm looking for suggestion how to improve security of automatic
cvs checkouts.

I'm using a cron script to run a cvs checkout from SourceForge.
SourceForge has pserver access, but there's a long delay between
developer cvs checkins and pserver update, so for this application I
have to use my sf.net developer account to do the cvs checkouts to get
up-to-date files.

AFAIK, since I'm doing this checkout via cron I need to use a
password-less (no pass phrase) key pair.  But that means I've got a
private key on a server and that key could be used to gain access to
an account on sf.net.  (IIRC, hacked sf.net accounts have been used to
launch successful attacks on other machines.)

I'm not sure of the real security risk.  The server doing the
checkouts is not under my control.  Someone would have to hack the
account where the private key is stored.  My guess if someone could do
that they might also have root and then could just as easily capture a
pass-phrase.

Unfortunately, the public key at sf.net cannot be setup as single use.
And I cannot think of a way to use a password and use cron (I could
avoid using cron and have a long-running process that sleeps for hours
between checkouts, but that would need to be restarted manually).

I'm mostly concerned because my normal usage of keys is to always have a
good pass phrase.

Can anyone think of a better way to do the above? -- Keep in mind I cannot
do anything to change the way sf.net works.  How would you set
something like this up?

Thanks,

--
Bill Moseley
moseley@hank.org





-- 
Daniel Persson
mailto.woden@gmail.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Using key-pairs with cron, Bill Moseley
Next by Date:  Re: Problem compiling openssh 3.9p1 on HP-UX 10.20, Greg Wooledge
Previous by Thread:  Using key-pairs with cron, Bill Moseley
Next by Thread:  Hostkeys for Interfaces?, Martin Schröder
Indexes:  [Date] [Thread] [Top] [All Lists]