Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Linux, Unix › Persistent Pageant?
New Posts  All Forums:Forum Nav:

Persistent Pageant?

post #1 of 8
Thread Starter 
So I'm sure we all know what Pageant does, for those who don't, it's a tool to be used with PuTTy in Windows to automatically enter the passphrase for your key when you SSH.

The main issue is that it stores all its data in memory, not in a secured database or something else. So when you reboot, everything's gone and you have to re-enter all the passphrases for your keys. Is there an equivalent that is statefull (remembers values persistently)?

I'm aware some would say it's a security risk to store these values permanently, but that's a matter of opinion. I think as long as the database is encrypted well it's not an issue. I believe on Mac OS X you can store them in the Keychain?

PS: Please no suggestions to create keys without a passphrase, I've already thought of that smile.gif

Thanks.
    
CPUMotherboardGraphicsGraphics
Intel Core i7 860 Asus P7P55D-E Pro MSI GTX560 Ti TwinFrozr II MSI GTX560 Ti TwinFrozr II 
RAMHard DriveHard DriveHard Drive
Corsair 8GB DDR3 OCZ Vertex 3 Western Digital Caviar Black Western Digital Caviar Green 
Hard DriveOptical DriveCoolingOS
Samsung 840 Pro Lite-On 24x DVD-RW CoolerMaster V8 Windows 8.1 Professional 
OSMonitorMonitorMonitor
Debian 7.1 Samsung S22B350H Samsung S22B350H Samsung S22B350H 
KeyboardPowerCaseMouse
Ducky Shine II Corsair HX850 CoolerMaster Storm Enforcer Logitech M500 
Mouse PadAudio
Razer Goliathus Microsoft LifeChat LX 3000 
  hide details  
Reply
    
CPUMotherboardGraphicsGraphics
Intel Core i7 860 Asus P7P55D-E Pro MSI GTX560 Ti TwinFrozr II MSI GTX560 Ti TwinFrozr II 
RAMHard DriveHard DriveHard Drive
Corsair 8GB DDR3 OCZ Vertex 3 Western Digital Caviar Black Western Digital Caviar Green 
Hard DriveOptical DriveCoolingOS
Samsung 840 Pro Lite-On 24x DVD-RW CoolerMaster V8 Windows 8.1 Professional 
OSMonitorMonitorMonitor
Debian 7.1 Samsung S22B350H Samsung S22B350H Samsung S22B350H 
KeyboardPowerCaseMouse
Ducky Shine II Corsair HX850 CoolerMaster Storm Enforcer Logitech M500 
Mouse PadAudio
Razer Goliathus Microsoft LifeChat LX 3000 
  hide details  
Reply
post #2 of 8
Thread Starter 
I'm sure this will help a lot of people, anyone?
    
CPUMotherboardGraphicsGraphics
Intel Core i7 860 Asus P7P55D-E Pro MSI GTX560 Ti TwinFrozr II MSI GTX560 Ti TwinFrozr II 
RAMHard DriveHard DriveHard Drive
Corsair 8GB DDR3 OCZ Vertex 3 Western Digital Caviar Black Western Digital Caviar Green 
Hard DriveOptical DriveCoolingOS
Samsung 840 Pro Lite-On 24x DVD-RW CoolerMaster V8 Windows 8.1 Professional 
OSMonitorMonitorMonitor
Debian 7.1 Samsung S22B350H Samsung S22B350H Samsung S22B350H 
KeyboardPowerCaseMouse
Ducky Shine II Corsair HX850 CoolerMaster Storm Enforcer Logitech M500 
Mouse PadAudio
Razer Goliathus Microsoft LifeChat LX 3000 
  hide details  
Reply
    
CPUMotherboardGraphicsGraphics
Intel Core i7 860 Asus P7P55D-E Pro MSI GTX560 Ti TwinFrozr II MSI GTX560 Ti TwinFrozr II 
RAMHard DriveHard DriveHard Drive
Corsair 8GB DDR3 OCZ Vertex 3 Western Digital Caviar Black Western Digital Caviar Green 
Hard DriveOptical DriveCoolingOS
Samsung 840 Pro Lite-On 24x DVD-RW CoolerMaster V8 Windows 8.1 Professional 
OSMonitorMonitorMonitor
Debian 7.1 Samsung S22B350H Samsung S22B350H Samsung S22B350H 
KeyboardPowerCaseMouse
Ducky Shine II Corsair HX850 CoolerMaster Storm Enforcer Logitech M500 
Mouse PadAudio
Razer Goliathus Microsoft LifeChat LX 3000 
  hide details  
Reply
post #3 of 8
Quote:
Originally Posted by dushan24 View Post

So I'm sure we all know what Pageant does, for those who don't, it's a tool to be used with PuTTy in Windows to automatically enter the passphrase for your key when you SSH.
The main issue is that it stores all its data in memory, not in a secured database or something else. So when you reboot, everything's gone and you have to re-enter all the passphrases for your keys. Is there an equivalent that is statefull (remembers values persistently)?
I'm aware some would say it's a security risk to store these values permanently, but that's a matter of opinion. I think as long as the database is encrypted well it's not an issue. I believe on Mac OS X you can store them in the Keychain?
PS: Please no suggestions to create keys without a passphrase, I've already thought of that smile.gif
Thanks.

It's not a matter of opinion - it is insecure. You might as well have passwordless keys.

But to answer your question, if it's part of PuTTY (I've not used Pageant - not even heard of it until today - but then I always SSH from Linux to Linux/Unix), then it will be open source so you could write a simple memory loader and dumper for it. Speaking from personal experience, PuTTY's source is actually pretty nice to hack around in; compared to most projects I've tinkered with.

Failing that. Hibernate Windows instead of shutting down
post #4 of 8
Thread Starter 
Quote:
Originally Posted by Plan9 View Post

It's not a matter of opinion - it is insecure. You might as well have passwordless keys.
But to answer your question, if it's part of PuTTY (I've not used Pageant - not even heard of it until today - but then I always SSH from Linux to Linux/Unix), then it will be open source so you could write a simple memory loader and dumper for it. Speaking from personal experience, PuTTY's source is actually pretty nice to hack around in; compared to most projects I've tinkered with.
Failing that. Hibernate Windows instead of shutting down

I knew someone would say that... Assuming access to the computer is secure and the mechanism for persistently storing the passphrase is well encrypted then it is no problem, it's basically a password manager for SSH keys...

I have been hibernating the computer as a work around.

If no one else has a pre-made solution, I might have a go at building something myself (which I'd share).

Thanks for your input none the less.
Edited by dushan24 - 11/8/12 at 7:24pm
    
CPUMotherboardGraphicsGraphics
Intel Core i7 860 Asus P7P55D-E Pro MSI GTX560 Ti TwinFrozr II MSI GTX560 Ti TwinFrozr II 
RAMHard DriveHard DriveHard Drive
Corsair 8GB DDR3 OCZ Vertex 3 Western Digital Caviar Black Western Digital Caviar Green 
Hard DriveOptical DriveCoolingOS
Samsung 840 Pro Lite-On 24x DVD-RW CoolerMaster V8 Windows 8.1 Professional 
OSMonitorMonitorMonitor
Debian 7.1 Samsung S22B350H Samsung S22B350H Samsung S22B350H 
KeyboardPowerCaseMouse
Ducky Shine II Corsair HX850 CoolerMaster Storm Enforcer Logitech M500 
Mouse PadAudio
Razer Goliathus Microsoft LifeChat LX 3000 
  hide details  
Reply
    
CPUMotherboardGraphicsGraphics
Intel Core i7 860 Asus P7P55D-E Pro MSI GTX560 Ti TwinFrozr II MSI GTX560 Ti TwinFrozr II 
RAMHard DriveHard DriveHard Drive
Corsair 8GB DDR3 OCZ Vertex 3 Western Digital Caviar Black Western Digital Caviar Green 
Hard DriveOptical DriveCoolingOS
Samsung 840 Pro Lite-On 24x DVD-RW CoolerMaster V8 Windows 8.1 Professional 
OSMonitorMonitorMonitor
Debian 7.1 Samsung S22B350H Samsung S22B350H Samsung S22B350H 
KeyboardPowerCaseMouse
Ducky Shine II Corsair HX850 CoolerMaster Storm Enforcer Logitech M500 
Mouse PadAudio
Razer Goliathus Microsoft LifeChat LX 3000 
  hide details  
Reply
post #5 of 8
Quote:
Originally Posted by dushan24 View Post

I knew someone would say that... Assuming access to the computer is secure and the mechanism for persistently storing the passphrase is well encrypted then it is no problem, it's basically a password manager for SSH keys...
If your system is secure then passwordless keys are also secure as it's not the password that gets transmitted over the wire - only a hashed checksum. The passphrase is only used to authenticate a private-key - which should never leave the confines of the client PC (which you've already stated is secured).

And if someone does have access to your system then they can "eavesdrop" and read the passphrase as it's being transferred from the key manager to the SSH client. They could even key log user input for when you do type the passphrases in.


Really what you should have done was copied your public key onto each of the servers you wanted SSH access - so you have 1 private key locally and several public keys (one on each server). This means you only need one passphrase to gain access to everything.

You could further harden your servers by using a white list of IPs (ie all incoming SSH connections are firewalled bar ones on a "white-listed" subset of IPs). This is more tricky to implement if you want access from home broadband and don't have the luxury of a static IP (you can white-list subnets on most firewalls, but it's a far from ideal solution).


While what you're asking is not unreasonable, i don't think it's the best solution. You'd be better off using intended SSH behaviours (eg the multiple public keys) and firewalling.
post #6 of 8
Thread Starter 
@Plan9, here are my responses

If your system is secure then passwordless keys are also secure as it's not the password that gets transmitted over the wire - only a hashed checksum. The passphrase is only used to authenticate a private-key - which should never leave the confines of the client PC (which you've already stated is secured).

True, I understand that the checksum is sent and not the plain test passphrase. And seeing as the computer is secure, a key with no passphrase probably is acceptable.

And if someone does have access to your system then they can "eavesdrop" and read the passphrase as it's being transferred from the key manager to the SSH client. They could even key log user input for when you do type the passphrases in.

I know.

Really what you should have done was copied your public key onto each of the servers you wanted SSH access - so you have 1 private key locally and several public keys (one on each server). This means you only need one passphrase to gain access to everything.

That is actually a good idea, I never really considered that, technically it is less secure because if the private key was stolen multiple machines would be compromised, but the pro's outweigh the con's.

You could further harden your servers by using a white list of IPs (ie all incoming SSH connections are firewalled bar ones on a "white-listed" subset of IPs). This is more tricky to implement if you want access from home broadband and don't have the luxury of a static IP (you can white-list subnets on most firewalls, but it's a far from ideal solution).

That would be difficult considering I have a dynamic IP, I could lock it down to the subnet my ISP uses though. I could also use a bouncer off one of my VPS's but that has other issues associated with it.

While what you're asking is not unreasonable, i don't think it's the best solution. You'd be better off using intended SSH behaviours (eg the multiple public keys) and firewalling.

Thanks again for your input, hope to hear from others too...
Edited by dushan24 - 11/10/12 at 1:32am
    
CPUMotherboardGraphicsGraphics
Intel Core i7 860 Asus P7P55D-E Pro MSI GTX560 Ti TwinFrozr II MSI GTX560 Ti TwinFrozr II 
RAMHard DriveHard DriveHard Drive
Corsair 8GB DDR3 OCZ Vertex 3 Western Digital Caviar Black Western Digital Caviar Green 
Hard DriveOptical DriveCoolingOS
Samsung 840 Pro Lite-On 24x DVD-RW CoolerMaster V8 Windows 8.1 Professional 
OSMonitorMonitorMonitor
Debian 7.1 Samsung S22B350H Samsung S22B350H Samsung S22B350H 
KeyboardPowerCaseMouse
Ducky Shine II Corsair HX850 CoolerMaster Storm Enforcer Logitech M500 
Mouse PadAudio
Razer Goliathus Microsoft LifeChat LX 3000 
  hide details  
Reply
    
CPUMotherboardGraphicsGraphics
Intel Core i7 860 Asus P7P55D-E Pro MSI GTX560 Ti TwinFrozr II MSI GTX560 Ti TwinFrozr II 
RAMHard DriveHard DriveHard Drive
Corsair 8GB DDR3 OCZ Vertex 3 Western Digital Caviar Black Western Digital Caviar Green 
Hard DriveOptical DriveCoolingOS
Samsung 840 Pro Lite-On 24x DVD-RW CoolerMaster V8 Windows 8.1 Professional 
OSMonitorMonitorMonitor
Debian 7.1 Samsung S22B350H Samsung S22B350H Samsung S22B350H 
KeyboardPowerCaseMouse
Ducky Shine II Corsair HX850 CoolerMaster Storm Enforcer Logitech M500 
Mouse PadAudio
Razer Goliathus Microsoft LifeChat LX 3000 
  hide details  
Reply
post #7 of 8
Quote:
Originally Posted by dushan24 View Post

That is actually a good idea, I never really considered that, technically it is less secure because if the private key was stolen multiple machines would be compromised, but the pro's outweigh the con's.
While you're right that it is technically less secure, I don't think it really works out that way in practice.

Assuming all your private keys are stored in the same file system hierarchy (eg same sub-directories or a meaningful named tree: c:\private keys\server1, c:\private keys\server2, etc), then if anyone did gain access to your machine, they'd steal the entire hierarchy rather than individual keys.

Same goes if your keys are hidden in nonsensical locations but with default file extensions, a simple file search would highlight every key (and if I was an attacker and found one private key - I'd be sure to do a search for similar extensions just to in case more were hidden away).

So while you're right that having one private key does widen the scope for damage should it be stolen, I'd be surprised if any attacker only managed to gain one key rather than the whole lot.
Quote:
Originally Posted by dushan24 View Post

That would be difficult considering I have a dynamic IP, I could lock it down to the subnet my ISP uses though. I could also use a bouncer off one of my VPS's but that has other issues associated with it.
Do you not have some kind of VPN solution for your farm? I don't know the kind of set up you're running so I apologise if this isn't possible, but best practice would be to have SSH disabled on any outside facing servers but a single VPN solution which you connect to and can then tunnel your SSH traffic via.

If VPN isn't practical, then you could cheat and have whitelist firewalling on all but one or two lower priority boxes, and you can SSH into those with SSH agent forwarding (I think PuTTY needs a bit of tweaking to get this working properly) then SSH from those boxes into the more critical and thus hardened firewalled boxes. (I hope that makes sense?)

VPN would probably be easier in the long run though because I seem to recall that PuTTY doesn't always do key agent forwarding properly - but you might have better success with that than I did.
post #8 of 8
Thread Starter 
Assuming all your private keys are stored in the same file system hierarchy (eg same sub-directories or a meaningful named tree: c:\private keys\server1, c:\private keys\server2, etc), then if anyone did gain access to your machine, they'd steal the entire hierarchy rather than individual keys. Same goes if your keys are hidden in nonsensical locations but with default file extensions, a simple file search would highlight every key (and if I was an attacker and found one private key - I'd be sure to do a search for similar extensions just to in case more were hidden away). So while you're right that having one private key does widen the scope for damage should it be stolen, I'd be surprised if any attacker only managed to gain one key rather than the whole lot.

They're not all in the same place and they don't have the default extensions, the file names are meaningful to me, but not to an attacker. But you make a valid point none the less.

Do you not have some kind of VPN solution for your farm? I don't know the kind of set up you're running so I apologise if this isn't possible, but best practice would be to have SSH disabled on any outside facing servers but a single VPN solution which you connect to and can then tunnel your SSH traffic via.

This is just a collection of virtual servers, this is my personal setup. At work we have a very elaborate infrastructure (and some sexy hardware), but it's all Windows frown.gif

If VPN isn't practical, then you could cheat and have whitelist firewalling on all but one or two lower priority boxes, and you can SSH into those with SSH agent forwarding (I think PuTTY needs a bit of tweaking to get this working properly) then SSH from those boxes into the more critical and thus hardened firewalled boxes. (I hope that makes sense?)

Haha, makes perfect sense, was actually doing this for a while, but with Windows and Remote Desktop within a Remote Desktop
    
CPUMotherboardGraphicsGraphics
Intel Core i7 860 Asus P7P55D-E Pro MSI GTX560 Ti TwinFrozr II MSI GTX560 Ti TwinFrozr II 
RAMHard DriveHard DriveHard Drive
Corsair 8GB DDR3 OCZ Vertex 3 Western Digital Caviar Black Western Digital Caviar Green 
Hard DriveOptical DriveCoolingOS
Samsung 840 Pro Lite-On 24x DVD-RW CoolerMaster V8 Windows 8.1 Professional 
OSMonitorMonitorMonitor
Debian 7.1 Samsung S22B350H Samsung S22B350H Samsung S22B350H 
KeyboardPowerCaseMouse
Ducky Shine II Corsair HX850 CoolerMaster Storm Enforcer Logitech M500 
Mouse PadAudio
Razer Goliathus Microsoft LifeChat LX 3000 
  hide details  
Reply
    
CPUMotherboardGraphicsGraphics
Intel Core i7 860 Asus P7P55D-E Pro MSI GTX560 Ti TwinFrozr II MSI GTX560 Ti TwinFrozr II 
RAMHard DriveHard DriveHard Drive
Corsair 8GB DDR3 OCZ Vertex 3 Western Digital Caviar Black Western Digital Caviar Green 
Hard DriveOptical DriveCoolingOS
Samsung 840 Pro Lite-On 24x DVD-RW CoolerMaster V8 Windows 8.1 Professional 
OSMonitorMonitorMonitor
Debian 7.1 Samsung S22B350H Samsung S22B350H Samsung S22B350H 
KeyboardPowerCaseMouse
Ducky Shine II Corsair HX850 CoolerMaster Storm Enforcer Logitech M500 
Mouse PadAudio
Razer Goliathus Microsoft LifeChat LX 3000 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Linux, Unix
Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Linux, Unix › Persistent Pageant?