Managing SSH Keys [Case 60035]

[fkatzenb]

Originally started this thread, but it is dead and caused confusion.
http://forums.cpanel.net/showthread.php?t=145597

The suggestion is to provide additional options within the Manage SSH Keys feature. I want to manage my configuration file and to manage options within my authorized keys.

For maximum security, I ensure my keys are passphrase protected. However, scripts do not have the ability to enter passphrase. This means I need to have a single purpose key that is not passphrase protected. What I have opt'ed to do is edit the authorized_keys file to say From="192.168.1.123,192.168.1.124" before the ssh-dss to only allow that key to be used from those IPs. The problem lies in the fact that the key no longer displays properly in WHM, I can't add that option in WHM, and any changes to keys from WHM breaks this.

It would also be ideal to allow us to edit the .ssh/config file from within WHM. This allows you to setup an alias for those connections in your scripts that specify odd port numbers, the IP addresses, and the key to use.

Thanks,
Frank

[fkatzenb]

Bump for more suggestions and/or visibility

[cPanelDon]

Bump for more suggestions and/or visibility

Please refrain from bumping a thread for the sole purpose of bumping a thread without offering a substantive contribution. I believe it will be more constructive to take time to consider a more thoughtful and unique post that helps further the discussion. I recommend to consider adding new information or additional reasoning, such as comparing different perspectives of the potential benefits or advantages, security-related or otherwise, that may help garner more interest and persuade others to vote for your feature request.

I personally think your feature request is an excellent idea and I am sure that in due course more people will reply to vote or share additional comments and suggestions.

[fkatzenb]

Please refrain from bumping a thread for the sole purpose of bumping a thread without offering a substantive contribution. I believe it will be more constructive to take time to consider a more thoughtful and unique post that helps further the discussion. I recommend to consider adding new information or additional reasoning, such as comparing different perspectives of the potential benefits or advantages, security-related or otherwise, that may help garner more interest and persuade others to vote for your feature request.

I personally think your feature request is an excellent idea and I am sure that in due course more people will reply to vote or share additional comments and suggestions.

Thanks Don.

I decided to provide a more comprehensive list of things that would make managing keys and hosts significantly easier. I think option boxes within each place you generate the key that would allow you to specify the following:

Code:

     from="pattern-list"
     command="command"
     environment="NAME=value"
     no-port-forwarding
     no-X11-forwarding
     no-agent-forwarding
     no-pty
     permitopen="host:port"

http://man.he.net/man5/authorized_keys

A second option either within the Manage SSH Keys or the Security Center to allow the editing of .ssh/config. This file is real simple and allows you to specify the host name, user, port, address, and key. For example:

Code:

Host server
User admin
Port 1234
HostName server.mydomain.com
IdentityFile /root/.ssh/single

This would allow you to simply "ssh server" to immediately do all the leg work for you. When coupled with the authorized_key options above, you can specify a from="1.2.3.4" and have a single purpose key that has no passphrase that you can use with automated scripts and ensure maximum security.


Thanks,
Frank

[fkatzenb]

I would like to present further reasoning for having this feature implemented and more manageable.

One of the big benefits is single purpose keys. For example, you can setup a key that is purely designed to run one script and that script contains two commands, "service mysql restart" and "exit", and has no password. This makes managing your services from say your smart phone with a SSH app a sinch. You establish a connection with this key and you are done.

[fkatzenb]

I would like to bring this subject back from the sidelines.

Thanks,
Frank

[Kent Brockman]

... This makes managing your services from say your smart phone with a SSH app a sinch. You establish a connection with this key and you are done.

+1 for this

[LeadDogGraphics]

+1 Please consider this request, as there are other reasons for needing a login without a passphrase. The additional options as outlined above sound like a good way to implement it.

[monarobase]

+1 we need both the ability to allow a user to create keys without a password and allow users to set an allowed IP list per public key.

[cPanelDavidG]

Update: I have filed an internal case with our developers regarding this situation.

[fkatzenb]

I would like to add to this suggestion please.

When creating SSH keys for root or for users, when authorized link is clicked, can we have the ability to provide an expiration date and time on it? It would probably require the implementation of some tasks on the backend to remove that authorization, but in this day and age, every bit of security feature helps.

Thanks,
Frank