Secure? SSH using keyfile and no password, but restricted host machine access?

ziphem · 09-02-2013, 12:39 PM

I'm trying to figure out how to easily backup a family member's Windows machine to a free-standing Linux machine. Yes, I've installed Mint on their machine as dual boot, but they're not taking the bait and making that switch

The Windows machine is on the same network as the Linux backup. The Windows machine has a fixed IP address on the LAN. However, the Linux machine is also open, and must remain open and accessible, through the outside internet.

As of right now, I have a functioning setup. I use plink to unlock a container on the backup machine, rsync (really cwrsync) over SSH to that machine, and then plink to relock the container. The problem is that, since I cannot find any pagent or the like to work with the Windows cwrsync program, the user has to enter their passphrase in 3 times - twice for the plink, and once of the SSH. So, I'm trying to simplify this system for them.

I would prefer not to use a keyfile with no passphrase, since, as mentioned, this backup machine is open to the internet. Unless someone knows of a Windows rsync utility that allows for pagent or some tool to remember the key, however, it seems that the only choice I have is to use a key with no passphrase.

I was looking for ways to mitigate the reduction in security by having a keyfile but not password. I saw a post somehwere where someone had suggested editing the rsa_pub file to restrict access by domain to increase security (http://superuser.com/questions/22904...om-one-machine). Could I just the Windows machine's internal IP address (which will be static), and if so, does this provide any meaningful increase in security, at least considering that I would not have a passphrase?

Thanks!

haertig · 09-02-2013, 12:57 PM

Quote:

Originally Posted by ziphem

I would prefer not to use a keyfile with no passphrase, since, as mentioned, this backup machine is open to the internet.

The "no passphrase" part is on the private key on the WINDOWS machine, the one you said is not internet-facing. Your LINUX machine, the one that is accepting incoming ssh connections and also faces the internet, has zero knowledge of whether the incoming ssh connection originated from a machine with a passphrase protected key or an unprotected key. Your LINUX machine is just as secure either way. Your potential exposure is if someone hacks into the WINDOWS machine and steals the unprotected key then uses that to access you LINUX machine.

ziphem · 09-02-2013, 03:27 PM

I guess I figured if the Windows machine got hacked and the keyfile stolen, I'd be out of luck. If it would be closed to the internet, then I wouldn't be as concerned, though that's probably not all that logical because a breach could happen through the Windows machine. Nevertheless, what about increasing security through restricting IP access with that keyfile?

Thanks!