Warn if ssh password authentication is enabled #12

New Issue

coolaj86 · 2018-09-16T08:42:34Z

coolaj86 commented

2018-09-16 08:42:34 +00:00

In addition to #10

There are reasonable ways to see if the current running ssh supports password authentication (requires shelling out).

If it's on then to suggest the updates to the sshd_config (including turning off at least three keys - something to do with Password, Challenge, and PAM but I don't recall exactly off the top of my head).

We should be able to create a script that makes the appropriate change and then ask the user to run it with elevated privileges (again, probably just shelling out to sudo ${THIS_NODE_PATH} fix-ssh.js ${VALUE_IF_NEEDED}.

This should also call ssh-keygen (or better yet, figure out how to replicate it in node - probably very similar to PEMs, just a different comment header and maybe a different style of base64 encoding, IIRC).

What this might look like:

~/telebit ssh auto
'ssh' allows insecure password authentication.
Would you like to secure it to use keys only? [Y/n]
Your public key is located at {id_rsa_pub_path}:
{id_rsa_pub_contents}
Telebit will make your public key available to other devices that request it.
Do you have telebit installed on any other devices you'd like to allow?
Domain (ex jon.telebit.io): 
Could not retrieve key from jon.telebit.io, is it turned on? Try again? [Y/n]
Added public key for jon.telebit.io to `~/.ssh/authorized_keys`.

We want to make both the accessible device and the client device as easy as possible.

We don't currently have an api for fetching public keys, but it will be trivial to add one (we just inspect the http traffic for a special /_api/ssh@telebit.io/id_rsa.pub resource before proxying to 3000 or loading the static server)

In addition to https://git.coolaj86.com/coolaj86/telebit.js/issues/10 There are reasonable ways to see if the current running ssh supports password authentication (requires shelling out). If it's on then to suggest the updates to the `sshd_config` (including turning off at least three keys - something to do with Password, Challenge, and PAM but I don't recall exactly off the top of my head). We should be able to create a script that makes the appropriate change and then ask the user to run it with elevated privileges (again, probably just shelling out to `sudo ${THIS_NODE_PATH} fix-ssh.js ${VALUE_IF_NEEDED}`. This should also call `ssh-keygen` (or better yet, figure out how to replicate it in node - probably very similar to PEMs, just a different comment header and maybe a different style of base64 encoding, IIRC). What this might look like: ``` ~/telebit ssh auto 'ssh' allows insecure password authentication. Would you like to secure it to use keys only? [Y/n] Your public key is located at {id_rsa_pub_path}: {id_rsa_pub_contents} Telebit will make your public key available to other devices that request it. Do you have telebit installed on any other devices you'd like to allow? Domain (ex jon.telebit.io): Could not retrieve key from jon.telebit.io, is it turned on? Try again? [Y/n] Added public key for jon.telebit.io to `~/.ssh/authorized_keys`. ``` We want to make both the _accessible device_ and the _client device_ as easy as possible. We don't currently have an api for fetching public keys, but it will be trivial to add one (we just inspect the http traffic for a special `/_api/ssh@telebit.io/id_rsa.pub` resource before proxying to 3000 or loading the static server)

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: coolaj86/telebit.js#12