LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-10-2018, 01:48 AM   #1
chickenjoy
Member
 
Registered: Apr 2007
Distribution: centos,rhel, solaris
Posts: 238

Rep: Reputation: 30
can i share my private key to clients who want to connect to my server?


I have the following set up:

1. server1 with sftp users: client1_user and client2_user
2. client1
3. client2

I have asked both client1 and client2 owners to generate and send me their public keys. I will add their ssh keys in their respective local user account on server1 .ssh/authorized

i have disabled password authentication and only allow key based.

they will login by passing their private key. this works as intended.

but what if they cannot create a key pair. Can i generate 2 key pair from any machine (even windows) and place the public into the authorized file (on server1) and email them the private keys? Is there any security related problems if I do this?
 
Old 07-10-2018, 04:38 AM   #2
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,638

Rep: Reputation: 434Reputation: 434Reputation: 434Reputation: 434Reputation: 434
Quote:
Originally Posted by chickenjoy View Post
Can i generate 2 key pair from any machine (even windows) and place the public into the authorized file (on server1) and email them the private keys?
Yes.
Quote:
Is there any security related problems if I do this?
Only the risk of the key falling into "other" hands (f.e. yours, or anyone with access to the email etc).
More secure delivery of the key could be arranged (usb on a carrier pigeon or such) - probably depends if you're running a nuclear launch facility or a cat vid archive.
 
1 members found this post helpful.
Old 07-10-2018, 05:13 AM   #3
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,521
Blog Entries: 3

Rep: Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567
Quote:
Originally Posted by chickenjoy View Post
but what if they cannot create a key pair.
Out of curiosity, why can't they generate a key pair?

Quote:
Originally Posted by chickenjoy View Post
Can i generate 2 key pair from any machine (even windows) and place the public into the authorized file (on server1) and email them the private keys? Is there any security related problems if I do this?
Mail in transit is often scanned for authentication information like passwords or keys. I can't say how probable it is that your mails will go past such a scanner but it is possible. Scans are automatic. So when they hit, they hit quickly.

It's work but it is really worth the effort to have one key pair per user-server combination. As to getting the keys to the users with dud systems, I can think of several options:

If you can encrypt the mails containing the private keys, then that would be one option.

Another would be to use a real passphrase and contact the recipient out of band with the passphrase for the key.

Another option would be to give them one key, or better an SSH certificate, with an expiry date and then have them log in and download their real key. After that you can delete the temporary public key from their authorized_keys file. However, only recent versions of the OpenSSH server support expiry-date for the keys. Old ones can do the certs though.
 
1 members found this post helpful.
Old 07-10-2018, 09:25 AM   #4
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,342
Blog Entries: 36

Rep: Reputation: Disabled
On my network, I generate the access keys.
I don't trust users to do it securely or correctly.

https://www.ssh.com/ssh/keygen/#sec-...Authentication
 
Old 07-10-2018, 09:44 AM   #5
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,521
Blog Entries: 3

Rep: Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567
Quote:
Originally Posted by Habitual View Post
On my network, I generate the access keys.
I don't trust users to do it securely or correctly.
How do you actually get the right private keys on to the right client machines inside the right client user accounts?
 
Old 07-10-2018, 11:25 AM   #6
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,342
Blog Entries: 36

Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
How do you actually get the right private keys on to the right client machines inside the right client user accounts?
I send it to them in a secure manner (usually compressed w\archive password) and as stated, out-of-band.
User key management is not my problem.

what usually follows is a parade of "what is a client-server relationship", how to "use" an ssh client, etc...
 
Old 07-11-2018, 01:56 AM   #7
chickenjoy
Member
 
Registered: Apr 2007
Distribution: centos,rhel, solaris
Posts: 238

Original Poster
Rep: Reputation: 30
thanks to all especially to descendant_command and Turbocapitalist
 
Old 07-11-2018, 03:21 AM   #8
chickenjoy
Member
 
Registered: Apr 2007
Distribution: centos,rhel, solaris
Posts: 238

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Habitual View Post
On my network, I generate the access keys.
I don't trust users to do it securely or correctly.

https://www.ssh.com/ssh/keygen/#sec-...Authentication
Ok if i generate a key pair from windows; my private key has this one line at the end "Private-MAC:". Does this mean that i can only use this private key from the same MAC address it was generated from? or can i give this private key to a linux machine and they will be able to use it?
 
Old 07-11-2018, 05:38 AM   #9
jlinkels
LQ Guru
 
Registered: Oct 2003
Location: Bonaire, Leeuwarden
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,186

Rep: Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037
Whenever I have to send a password to a user I do that using WhatsApp. It has not happened yet that I had to send a private key, but I would use WhatsApp as well.

I agree that mail in transit is vulnerable, I simply do not use it for passwords. But is WhatsApp safe for that matter? It is said it is end-to-end encrypted that is why I trust it.

As I understand only NSA picks up WhatsApp, probably descrypts it. And then hackers get access to NSA, I know. But it sounds safer than e-mail. Safe enough?

jlinkels
 
Old 07-11-2018, 09:13 AM   #10
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,342
Blog Entries: 36

Rep: Reputation: Disabled
Quote:
Originally Posted by chickenjoy View Post
Ok if i generate a key pair from windows; my private key has this one line at the end "Private-MAC:". Does this mean that i can only use this private key from the same MAC address it was generated from? or can i give this private key to a linux machine and they will be able to use it?
Putty?

Private keys should never be "given out". See https://www.ssh.com/ssh/key/
and https://www.ssh.com/ssh/public-key-a...he-Private-Key
and https://www.linuxquestions.org/linux...ation_with_ssh

key.pub contents in correct ~/location on the "server" (as in "client-server", or the host the <user> needs a connection to)
Matching Private key in ~/.ssh/ for the <user> on their "client" machine.

No idea for "Private-MAC" since we have no actionable data like what OS/platform made the thing and what utility that may involve. I've seen it and I believe openssh-server v6.6 (possibly) complained about the "Private-MAC" element (but did allow me to connect), so I removed that element of the output, as I have other layers to inhibit access to my servers.
"Private-MAC" is on some of my putty ssh keys that I had to "import" on putty to use as a key.ppk that putty requires.

See also Best Practice: ”separate ssh-key per host and user“ vs. ”one ssh-key for all hosts“
and
https://www.networkworld.com/article...-software.html

Last edited by Habitual; 07-11-2018 at 09:23 AM.
 
1 members found this post helpful.
Old 07-11-2018, 09:32 AM   #11
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,521
Blog Entries: 3

Rep: Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567
That is an interesting discussion. Down in the section with no upvotes, "Here are a few additional considerations", it brings up the point about a potential problem with using multiple keys and an agent. What happens with multiple keys in an agent is when trying to connect, the agent will respond with its keys in more or less random order and if you hit the failed login limit before hitting the right key, you can't get in.

That is easily fixed by using IdentitiesOnly and IdentityFile in the ~/.ssh/config file for the respective remote hosts.

One should be using the ~/.ssh/config file regularly anyway. See "man ssh_config" for all the options. But because the rules get applied as the are found in the file, the rules go in order of more specific to more general. So the most specific rules go first and the most general ones go at the end of the file.
 
Old 07-11-2018, 09:45 AM   #12
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,521
Blog Entries: 3

Rep: Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567
Quote:
Originally Posted by Habitual View Post
The meat and potatoes of that one is unfortunately in a bitmapped image which may or may not get noticed properly. Unfortunately, the source document NISTIR 7966: Security of Interactive and Automated Access Management Using Secure Shell (SSH) is a PDF so that is also of limited accessibility. However, it is very good to read through the whole document despite it being about 50 pages of content.

Some of the recommendations though make assumptions about scale and are really best implemented in organizations above a certain size. Others are good regardless.

Unfortunately on networks where Windows units are allowed, there are problems following best practices or remaining in any way secure. That seems to be one of the issues here.
 
Old 07-11-2018, 06:51 PM   #13
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,387

Rep: Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553
Quote:
Originally Posted by chickenjoy View Post
Ok if i generate a key pair from windows; my private key has this one line at the end "Private-MAC:". Does this mean that i can only use this private key from the same MAC address it was generated from? or can i give this private key to a linux machine and they will be able to use it?
MAC here stands for Message authentication code. I can't find it in the putty docs, but the source says:

https://git.tartarus.org/?p=simon/pu...3;hb=HEAD#l433
Code:
* Finally, there is a line saying "Private-MAC: " plus a hex
* representation of a HMAC-SHA-1 of:
*
*    string  name of algorithm ("ssh-dss", "ssh-rsa")
*    string  encryption type
*    string  comment
*    string  public-blob
*    string  private-plaintext (the plaintext version of the
*                               private part, including the final
*                               padding)
[...]
 
2 members found this post helpful.
Old 07-12-2018, 01:12 AM   #14
chickenjoy
Member
 
Registered: Apr 2007
Distribution: centos,rhel, solaris
Posts: 238

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by ntubski View Post
MAC here stands for Message authentication code. I can't find it in the putty docs, but the source says:

https://git.tartarus.org/?p=simon/pu...3;hb=HEAD#l433
Code:
* Finally, there is a line saying "Private-MAC: " plus a hex
* representation of a HMAC-SHA-1 of:
*
*    string  name of algorithm ("ssh-dss", "ssh-rsa")
*    string  encryption type
*    string  comment
*    string  public-blob
*    string  private-plaintext (the plaintext version of the
*                               private part, including the final
*                               padding)
[...]
thank you for your time finding out for me. Really appreciate it. Man are they running our of unique acronyms or what.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Generating private key on server to download and access from any machine Raakh5 Linux - Newbie 2 05-19-2015 02:45 PM
[SOLVED] Share SSH public/private key pair among all my systems? Z038 Linux - Security 2 06-06-2013 08:03 PM
SSH with passwordless public/private key not working on another account on server infocom Linux - Server 14 12-27-2010 06:09 AM
Importing private key from key server ManiDhillon Linux - General 2 07-09-2010 07:56 PM
pam_ssh searching private key on a LDAP server caveden Linux - Security 2 10-06-2009 09:16 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration