Robert, On Fri, Aug 06, 2010 at 05:23:44PM -0400, Robert Harris wrote: > I'm willing to provide instructions for the wiki or something, if you are > interested in this. (I'd need to clean the instructions up a little.) You may create this wiki page: http://openwall.info/wiki/Owl/ssh What you describe is not exactly Owl-specific (it'd be the same for any other Unix-like system with OpenSSH), yet it is OK to have such kinds of info on the wiki as well. We also have a relevant wiki page here: http://openwall.info/wiki/internal/ssh but this one talks about Openwall team's conventions, so it is not one you should modify. You may link to it from yours, though. > The main trick I learned was that I had to convert the open ssh private key > generated by owl, into a format that putty understood. We usually do it the other way around: a user who happens to be on Windows sends us their PuTTY-generated SSH public key, and we convert it to a format understood by OpenSSH with: ssh-keygen -if putty-key > .ssh/authorized_keys right under the target account we've setup for the person. This way, the private key exists only on the system where it should be - on the user's computer - and it never travels over a network. With your approach, you had to copy the private key from the Owl server, and you might have put the key at risk (of leakage) when doing so (depends on how you did it). Additionally, if the same keypair is then reused to access other servers, which is typical for SSH keypairs, then those other servers would be at unjustified risk. That's because if your key-generating server ever gets compromised, the intruder could be able to steal a copy of the private key (or its "remnants" somewhere in "free" disk space if the file is removed) and use that to login to other servers where the corresponding public key is also deployed. So SSH key generation is generally better done on the client system. I understand that you're merely experimenting with this for now, so the risks are not real for you. I just wanted to point out what the proper approach is when this is done "for real". Thanks, AlexanderReceived on Fri Aug 06 2010 - 19:42:00 PDT
This archive was generated by hypermail 2.2.0 : Fri Aug 06 2010 - 19:42:20 PDT