Re: [owl-users] Setting up putty to use ssh keys to login to Owl

From: Solar Designer <solar_at_private>
Date: Sat, 7 Aug 2010 06:42:00 +0400
Robert,

On Fri, Aug 06, 2010 at 05:23:44PM -0400, Robert Harris wrote:
> I'm willing to provide instructions for the wiki or something, if you are
> interested in this.  (I'd need to clean the instructions up a little.)

You may create this wiki page:

http://openwall.info/wiki/Owl/ssh

What you describe is not exactly Owl-specific (it'd be the same for any
other Unix-like system with OpenSSH), yet it is OK to have such kinds of
info on the wiki as well.

We also have a relevant wiki page here:

http://openwall.info/wiki/internal/ssh

but this one talks about Openwall team's conventions, so it is not one
you should modify.  You may link to it from yours, though.

> The main trick I learned was that I had to convert the open ssh private key
> generated by owl, into a format that putty understood.

We usually do it the other way around: a user who happens to be on
Windows sends us their PuTTY-generated SSH public key, and we convert it
to a format understood by OpenSSH with:

ssh-keygen -if putty-key > .ssh/authorized_keys

right under the target account we've setup for the person.

This way, the private key exists only on the system where it should be -
on the user's computer - and it never travels over a network.

With your approach, you had to copy the private key from the Owl server,
and you might have put the key at risk (of leakage) when doing so
(depends on how you did it).  Additionally, if the same keypair is then
reused to access other servers, which is typical for SSH keypairs, then
those other servers would be at unjustified risk.  That's because if
your key-generating server ever gets compromised, the intruder could be
able to steal a copy of the private key (or its "remnants" somewhere in
"free" disk space if the file is removed) and use that to login to other
servers where the corresponding public key is also deployed.

So SSH key generation is generally better done on the client system.

I understand that you're merely experimenting with this for now, so the
risks are not real for you.  I just wanted to point out what the proper
approach is when this is done "for real".

Thanks,

Alexander
Received on Fri Aug 06 2010 - 19:42:00 PDT

This archive was generated by hypermail 2.2.0 : Fri Aug 06 2010 - 19:42:20 PDT