Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Security Threat' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Security Threat
Authored by: mschiller on Apr 21, '04 12:33:06PM

I assume it goes without saying that having passwords saved in potentially clear text [even a compiled Applescript is likely to not be safe since the username and password can probably be seen in a hexeditor] on your computer is a bad idea....

Instead of using username/password you'd be better off using a public/private key pair with SSH.. Pretty trivial to set up and if it's done right, if your laptop gets stolen it's trivial to remove the compromised key from the linux server.

Just google for a SSH keygen help page such as

http://www.phy.bnl.gov/computing/gateway/ssh-agent.html


On otherhand a compromised password, if your like most people, could mean needing to change MANY passwords...

[Yeah Yeah, your linux server should have a unique password....]



[ Reply to This | # ]
Security Threat
Authored by: bluehz on Apr 21, '04 01:46:26PM

Yes pub/priv key is definitely the way to go...
Look for SSHLogin at Macupdate. Will allow you to tie your SSH keys into your Keychain.... when you unlock your Keychain (for example when you login) it also authorizes the SSH keys. You will never have to enter another log/pass again from your Mac to Linux as long as you are logged in on OS X box. This is how I do it from my Mac to Slack (Linux) box.



[ Reply to This | # ]
SSHLogin
Authored by: chris_on_hints on Apr 21, '04 04:24:48PM
Just looked for SSHLogin on version tracker and it seems like it has vanished... The website is gone... (see version tracker) shame, because it sounded good!

[ Reply to This | # ]
SSHLogin
Authored by: bluehz on Apr 22, '04 01:52:00AM

Hmmm sshLogin has disappeard... supposedly either of these two items will do the same thing. I have not tried them though:

http://www.sshkeychain.org/
http://www.codefab.com/unsupported/SSHPassKey_v1.1-1-README.html



[ Reply to This | # ]
Another option (store password in keychain)
Authored by: sjonke on Apr 21, '04 02:38:16PM
this applescript code will retrieve a password from the Keychain:
		tell application "Keychain Scripting"
			tell keychain 1
				unlock
				set theKey to first key whose name is "Some Password"
				set theUsername to (account of theKey) as string
				set thePassword to (password of theKey) as string
			end tell
		end tell
Use the Keychain Access application to create a new password with the name you chose ("Some Password" in the example). The "unlock" command will request your keychain password if the keychain is locked. If the keychain is already locked it won't ask.

---
--- What?

[ Reply to This | # ]

Security Threat
Authored by: kholburn on Apr 21, '04 06:29:33PM

I use SSHKeychain. It keeps sshagent key passwords in the Keychain and turns them off if the screen saver is on. (Look for it on versiontracker)



[ Reply to This | # ]
Security Threat
Authored by: gustou on Apr 21, '04 06:41:45PM

Don't forget that any root on a machine you're connected has acces to all the box you can log on without password.



[ Reply to This | # ]
Security Threat
Authored by: David on Apr 22, '04 09:32:51AM

Well, root can become you and then get in that way. But the root user can't directly contact your host and get in using your public/private key.

But yeah, if you don't trust your admin, don't store ANYTHING you don't want him to see on the computer he runs.



[ Reply to This | # ]
Security Threat
Authored by: gustou on Apr 22, '04 10:12:09AM

To explain what I want to say a little more let's have a simple scenario.

I own a laptop. I am the only root in this computer. All my pub/priv keys are securely stored in this computer.

But I am in a company and I often ssh to other computers. So I use ssh-agent.

Then if I do a ssh on a computer B then any root user on B can use my agent (even wihtout getting the pub/priv keys pair) and ssh to any computer that I usually use. This without beeing asked for a password.

In other words don't access a computer whose admin are "untrused"

If I'm not clear please don't hesitate to dop me a line :)



[ Reply to This | # ]