This is your helpful Friday reminder to always pay close attention to
the security settings of all of the web sites under your administration.
Otherwise, anonymous skript kiddiez could show up at any moment and
deface one or more of your web sites. (It happens a lot.)
Just this week, I have seen an (unconfirmed) report that there is an organized
effort that's abusing SSH keys that lack passphrases - if they pwn a system and
find one, they go surfing it as far as they can.
And yes, I know that automated systems can't use passphrases.. so remember to
check to see if you can use 'force-command=' in the known hosts file so that the
key can only issue one command. (yes, this means that if the automation host has
to do a dozen different things, it needs a dozen keypairs. Security is always tradeoffs.)
'ssh-keygen -H' also helps control things.
You may have missed the schadenfreude in Ronald's post.
Give it a rest Ronald. You won.
Regards,
Bill Herrin
Big plus 1 to Bill’s point.
No need for trade-offs here; you can have a `command=` (it's not
`force-command=`) wrapper script that validates the command that was sent
(via `$SSH_ORIGINAL_COMMAND`) and does an `exec` if it's on the "approved"
list. One key, many commands, any command you don't allow gets blocked.
- Matt
+1