Is ssh with PKI and without a password secure enough?
I have a web server setup and would like to connect to it from outside using Tor.
The web server simply serves up a simple webpage that will act as an interface for a program running on the machine.
It is not meant to be accessible by anyone else.
If I set up another computer with SSH and set to login using SSH keys to act as an SSH tunnel, is this secure enough from most attackers?
With the SSH tunnel and Tor in place, is there a reason to use SSL or is all this secure enough?
What possible attacks are still possible and how do I defend against them?
ssh
|
show 1 more comment
I have a web server setup and would like to connect to it from outside using Tor.
The web server simply serves up a simple webpage that will act as an interface for a program running on the machine.
It is not meant to be accessible by anyone else.
If I set up another computer with SSH and set to login using SSH keys to act as an SSH tunnel, is this secure enough from most attackers?
With the SSH tunnel and Tor in place, is there a reason to use SSL or is all this secure enough?
What possible attacks are still possible and how do I defend against them?
ssh
5
To verify, you mean "ssh using key-based authentication" (or some such), and NOT "ssh without a password", right? If so, it would be worth editing the title to match. I won't do so without having verified your intent, though (since to me, that subtle wording change carries a significant difference in intent and risk).
– Ethan Kaminski
7 hours ago
1
Actually, scratch that, I didn't quite read far enough (read it too quickly). Further question, for clarification: you've got an externally-accessible webpage, right? Or are you making the HTTP request on localhost (and/or another LAN address)? That's also going to be a relevant detail, moreso than the SSH itself.
– Ethan Kaminski
7 hours ago
Yup. Two machines: one with the externally-accessible webpage and another used for ssh-tunneling. Unless there's a way to have them both on just one machine.
– user942937
7 hours ago
That would be FAR safer to set up that way, yes. Let me type up an answer about that, since the current answer only seems to cover the SSH/Tor side of things, without detailing the risks of having an admin-y panel served by a webserver open to the whole internet.
– Ethan Kaminski
7 hours ago
If that automated login is only for port forwarding you can use a user which does not allow shell access. While key based authentication is very strong the key on the client side is the weakness, so limiting reach can additionally mitigate risks.
– eckes
4 hours ago
|
show 1 more comment
I have a web server setup and would like to connect to it from outside using Tor.
The web server simply serves up a simple webpage that will act as an interface for a program running on the machine.
It is not meant to be accessible by anyone else.
If I set up another computer with SSH and set to login using SSH keys to act as an SSH tunnel, is this secure enough from most attackers?
With the SSH tunnel and Tor in place, is there a reason to use SSL or is all this secure enough?
What possible attacks are still possible and how do I defend against them?
ssh
I have a web server setup and would like to connect to it from outside using Tor.
The web server simply serves up a simple webpage that will act as an interface for a program running on the machine.
It is not meant to be accessible by anyone else.
If I set up another computer with SSH and set to login using SSH keys to act as an SSH tunnel, is this secure enough from most attackers?
With the SSH tunnel and Tor in place, is there a reason to use SSL or is all this secure enough?
What possible attacks are still possible and how do I defend against them?
ssh
ssh
edited 45 mins ago
Freiheit
203110
203110
asked 11 hours ago
user942937
1099
1099
5
To verify, you mean "ssh using key-based authentication" (or some such), and NOT "ssh without a password", right? If so, it would be worth editing the title to match. I won't do so without having verified your intent, though (since to me, that subtle wording change carries a significant difference in intent and risk).
– Ethan Kaminski
7 hours ago
1
Actually, scratch that, I didn't quite read far enough (read it too quickly). Further question, for clarification: you've got an externally-accessible webpage, right? Or are you making the HTTP request on localhost (and/or another LAN address)? That's also going to be a relevant detail, moreso than the SSH itself.
– Ethan Kaminski
7 hours ago
Yup. Two machines: one with the externally-accessible webpage and another used for ssh-tunneling. Unless there's a way to have them both on just one machine.
– user942937
7 hours ago
That would be FAR safer to set up that way, yes. Let me type up an answer about that, since the current answer only seems to cover the SSH/Tor side of things, without detailing the risks of having an admin-y panel served by a webserver open to the whole internet.
– Ethan Kaminski
7 hours ago
If that automated login is only for port forwarding you can use a user which does not allow shell access. While key based authentication is very strong the key on the client side is the weakness, so limiting reach can additionally mitigate risks.
– eckes
4 hours ago
|
show 1 more comment
5
To verify, you mean "ssh using key-based authentication" (or some such), and NOT "ssh without a password", right? If so, it would be worth editing the title to match. I won't do so without having verified your intent, though (since to me, that subtle wording change carries a significant difference in intent and risk).
– Ethan Kaminski
7 hours ago
1
Actually, scratch that, I didn't quite read far enough (read it too quickly). Further question, for clarification: you've got an externally-accessible webpage, right? Or are you making the HTTP request on localhost (and/or another LAN address)? That's also going to be a relevant detail, moreso than the SSH itself.
– Ethan Kaminski
7 hours ago
Yup. Two machines: one with the externally-accessible webpage and another used for ssh-tunneling. Unless there's a way to have them both on just one machine.
– user942937
7 hours ago
That would be FAR safer to set up that way, yes. Let me type up an answer about that, since the current answer only seems to cover the SSH/Tor side of things, without detailing the risks of having an admin-y panel served by a webserver open to the whole internet.
– Ethan Kaminski
7 hours ago
If that automated login is only for port forwarding you can use a user which does not allow shell access. While key based authentication is very strong the key on the client side is the weakness, so limiting reach can additionally mitigate risks.
– eckes
4 hours ago
5
5
To verify, you mean "ssh using key-based authentication" (or some such), and NOT "ssh without a password", right? If so, it would be worth editing the title to match. I won't do so without having verified your intent, though (since to me, that subtle wording change carries a significant difference in intent and risk).
– Ethan Kaminski
7 hours ago
To verify, you mean "ssh using key-based authentication" (or some such), and NOT "ssh without a password", right? If so, it would be worth editing the title to match. I won't do so without having verified your intent, though (since to me, that subtle wording change carries a significant difference in intent and risk).
– Ethan Kaminski
7 hours ago
1
1
Actually, scratch that, I didn't quite read far enough (read it too quickly). Further question, for clarification: you've got an externally-accessible webpage, right? Or are you making the HTTP request on localhost (and/or another LAN address)? That's also going to be a relevant detail, moreso than the SSH itself.
– Ethan Kaminski
7 hours ago
Actually, scratch that, I didn't quite read far enough (read it too quickly). Further question, for clarification: you've got an externally-accessible webpage, right? Or are you making the HTTP request on localhost (and/or another LAN address)? That's also going to be a relevant detail, moreso than the SSH itself.
– Ethan Kaminski
7 hours ago
Yup. Two machines: one with the externally-accessible webpage and another used for ssh-tunneling. Unless there's a way to have them both on just one machine.
– user942937
7 hours ago
Yup. Two machines: one with the externally-accessible webpage and another used for ssh-tunneling. Unless there's a way to have them both on just one machine.
– user942937
7 hours ago
That would be FAR safer to set up that way, yes. Let me type up an answer about that, since the current answer only seems to cover the SSH/Tor side of things, without detailing the risks of having an admin-y panel served by a webserver open to the whole internet.
– Ethan Kaminski
7 hours ago
That would be FAR safer to set up that way, yes. Let me type up an answer about that, since the current answer only seems to cover the SSH/Tor side of things, without detailing the risks of having an admin-y panel served by a webserver open to the whole internet.
– Ethan Kaminski
7 hours ago
If that automated login is only for port forwarding you can use a user which does not allow shell access. While key based authentication is very strong the key on the client side is the weakness, so limiting reach can additionally mitigate risks.
– eckes
4 hours ago
If that automated login is only for port forwarding you can use a user which does not allow shell access. While key based authentication is very strong the key on the client side is the weakness, so limiting reach can additionally mitigate risks.
– eckes
4 hours ago
|
show 1 more comment
3 Answers
3
active
oldest
votes
If you are using public key authentication for SSH, no one can log in to the server without having the corresponding private key. This is as secure, and usually more secure, than password authentication. The encryption OpenSSH provides is state of the art; there is no known way to break it. You can further improve security on the Tor side by using authorized hidden services. This will make the domain inaccessible to all but your client. Note that this only works with v2 hidden services, not the latest v3.
The only remaining attack would be a man-in-the-middle attack. You can copy over the host key from the server to your client, just like you copied a key to make public key authentication possible. This will completely mitigate man-in-the-middle attacks and the client will warn you if an attempt is detected.
See also What is the difference between authorized_keys and known_hosts file for SSH?
Hi. Thanks for answering. I'm not sure if this is unrelated, but if I'm on DHCP, how can I find out my IP address to have the machine accessible through tor? Or is static IP the (only) way to go?
– user942937
8 hours ago
@user942937 I'm not sure what you mean. Tor will do NAT holepunching automatically so as long as the server is connected to the internet, you should be fine.
– forest
8 hours ago
@user942937 If you always are going to use tor to connect to it, setup a tor hidden service on the machine, this way it gets an union domain name you can use to connect to it from the outside (without requiring static ip's or port forwarding), and since the name always stays the same, you are protected in the way the answer describes when comparing the host keys)
– Ferrybig
6 hours ago
1
It may be worth pointing out that if using public key authentication one should not forget to disable password authentication completely in order to reduce the attack surface.
– zakinster
5 hours ago
"The only remaining attack would be a man-in-the-middle attack." this can also be mitigated with DNSSSHFP
records and, maybe, if you are using certificates and not just keys with DANE and DNSTLSA
records. In both cases the zone needs to be DNSSEC enabled.
– Patrick Mevzek
16 mins ago
add a comment |
The existing answer written by forest details the security of the SSH/Tor side of things (quite secure if set up correctly), so I won't rehash that here.
I notice that you're asking mainly about client-side security ("can someone interfere with my browser?"), but I would say that server-side security ("can someone use my website/program without permission?") is also a quite important consideration when setting up a web-based program management interface.
There is potentially a very large risk to having a sensitive webpage open to the whole internet, so you really DO need to use some sort of security measure on the webserver side - it could be a Tor authorized hidden service, as forest describes, or some other method of securing the site against random hackers.
Hypothetical scenario: suppose that you had a webserver running on HTTP (as it's not clear if you're using Tor for hidden services or as a form of proxy software). Let's say you've got /index.php
on there with a link to /my_program_interface.php
, and for "safety's" sake, let's also put that on port 8080, with no domain name, but other than that, you allow it to accept connections from anyone. Well, if anyone ever finds out that you've got a webserver there (and with IPv4, a full network scan is feasible, so your webserver could be discovered), all they'd have to do is to type http://[your_ip_here]/index.php
into a normal off-the-shelf browser, and then they have exactly as much control over your program as you do.
In other words: don't forget that that server-side authorization checks are important, along with client-side privacy checks!
add a comment |
It depends what you mean by secure enough.
Security does not exist without a threat model, as time-travelling, mind-reading gods can defeat any system you make.
If this is a simple utility, then the chances of someone burning a 0day for ssh on your sever is minimal, since there are simply better targets, and it wouldn't be worth the time and effort.
However, if you plan on running a system to co-ordinate a giant criminal empire behind the site, you should expect that a large intellegence agency can track the tor traffic back to you box, either by using an attack on the Tor network, or by simple rubber-hose cryptography:
However, even if your system is theoretically secure enough, there is the human element: you can never be 100% sure that you have set it up correctly, and so it may be trivial to hack.
A very important rule for security is to expect that your system will be broken at some point. A large part of the design of a secure system is making sure that when it is broken, it doesn't cause too much damage. To that end, I would suggest something like a docker image, so that you can easily scrub it if it does get broken into.
If the actual cryptography behind ssh was broken, you should be more worried about collecting canned goods, as an economic collapse would occur that would make the Great Depression look like the Slightly Sad, as any secure web traffic could be decrypted with a simple MitM (passwords, server certificates, bank details, etc.), and massive botnets of hacked servers would assault any and all internet-facing servers, effectively killing the information age, and turning the internet into a battleground.
New contributor
Shell shock didnt cause a new age great depression did it?
– user6858980
2 hours ago
@user6858980 That's because shell shock only targeted one program, bash, which is rarely publicly reachable. Even if someone found a bug in apache or nginx that gave arbitrary code execution as root (the worst feasible case), the level of sandboxing on most big websites would keep it safe, and it would be patched. This is in stark contrast to the very concept of public-key encryption being wrong, which would be as unpatchable as1 + 1 = 2
– Cyclic3
1 hour ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200792%2fis-ssh-with-pki-and-without-a-password-secure-enough%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
If you are using public key authentication for SSH, no one can log in to the server without having the corresponding private key. This is as secure, and usually more secure, than password authentication. The encryption OpenSSH provides is state of the art; there is no known way to break it. You can further improve security on the Tor side by using authorized hidden services. This will make the domain inaccessible to all but your client. Note that this only works with v2 hidden services, not the latest v3.
The only remaining attack would be a man-in-the-middle attack. You can copy over the host key from the server to your client, just like you copied a key to make public key authentication possible. This will completely mitigate man-in-the-middle attacks and the client will warn you if an attempt is detected.
See also What is the difference between authorized_keys and known_hosts file for SSH?
Hi. Thanks for answering. I'm not sure if this is unrelated, but if I'm on DHCP, how can I find out my IP address to have the machine accessible through tor? Or is static IP the (only) way to go?
– user942937
8 hours ago
@user942937 I'm not sure what you mean. Tor will do NAT holepunching automatically so as long as the server is connected to the internet, you should be fine.
– forest
8 hours ago
@user942937 If you always are going to use tor to connect to it, setup a tor hidden service on the machine, this way it gets an union domain name you can use to connect to it from the outside (without requiring static ip's or port forwarding), and since the name always stays the same, you are protected in the way the answer describes when comparing the host keys)
– Ferrybig
6 hours ago
1
It may be worth pointing out that if using public key authentication one should not forget to disable password authentication completely in order to reduce the attack surface.
– zakinster
5 hours ago
"The only remaining attack would be a man-in-the-middle attack." this can also be mitigated with DNSSSHFP
records and, maybe, if you are using certificates and not just keys with DANE and DNSTLSA
records. In both cases the zone needs to be DNSSEC enabled.
– Patrick Mevzek
16 mins ago
add a comment |
If you are using public key authentication for SSH, no one can log in to the server without having the corresponding private key. This is as secure, and usually more secure, than password authentication. The encryption OpenSSH provides is state of the art; there is no known way to break it. You can further improve security on the Tor side by using authorized hidden services. This will make the domain inaccessible to all but your client. Note that this only works with v2 hidden services, not the latest v3.
The only remaining attack would be a man-in-the-middle attack. You can copy over the host key from the server to your client, just like you copied a key to make public key authentication possible. This will completely mitigate man-in-the-middle attacks and the client will warn you if an attempt is detected.
See also What is the difference between authorized_keys and known_hosts file for SSH?
Hi. Thanks for answering. I'm not sure if this is unrelated, but if I'm on DHCP, how can I find out my IP address to have the machine accessible through tor? Or is static IP the (only) way to go?
– user942937
8 hours ago
@user942937 I'm not sure what you mean. Tor will do NAT holepunching automatically so as long as the server is connected to the internet, you should be fine.
– forest
8 hours ago
@user942937 If you always are going to use tor to connect to it, setup a tor hidden service on the machine, this way it gets an union domain name you can use to connect to it from the outside (without requiring static ip's or port forwarding), and since the name always stays the same, you are protected in the way the answer describes when comparing the host keys)
– Ferrybig
6 hours ago
1
It may be worth pointing out that if using public key authentication one should not forget to disable password authentication completely in order to reduce the attack surface.
– zakinster
5 hours ago
"The only remaining attack would be a man-in-the-middle attack." this can also be mitigated with DNSSSHFP
records and, maybe, if you are using certificates and not just keys with DANE and DNSTLSA
records. In both cases the zone needs to be DNSSEC enabled.
– Patrick Mevzek
16 mins ago
add a comment |
If you are using public key authentication for SSH, no one can log in to the server without having the corresponding private key. This is as secure, and usually more secure, than password authentication. The encryption OpenSSH provides is state of the art; there is no known way to break it. You can further improve security on the Tor side by using authorized hidden services. This will make the domain inaccessible to all but your client. Note that this only works with v2 hidden services, not the latest v3.
The only remaining attack would be a man-in-the-middle attack. You can copy over the host key from the server to your client, just like you copied a key to make public key authentication possible. This will completely mitigate man-in-the-middle attacks and the client will warn you if an attempt is detected.
See also What is the difference between authorized_keys and known_hosts file for SSH?
If you are using public key authentication for SSH, no one can log in to the server without having the corresponding private key. This is as secure, and usually more secure, than password authentication. The encryption OpenSSH provides is state of the art; there is no known way to break it. You can further improve security on the Tor side by using authorized hidden services. This will make the domain inaccessible to all but your client. Note that this only works with v2 hidden services, not the latest v3.
The only remaining attack would be a man-in-the-middle attack. You can copy over the host key from the server to your client, just like you copied a key to make public key authentication possible. This will completely mitigate man-in-the-middle attacks and the client will warn you if an attempt is detected.
See also What is the difference between authorized_keys and known_hosts file for SSH?
edited 8 hours ago
answered 9 hours ago
forest
32.5k15105111
32.5k15105111
Hi. Thanks for answering. I'm not sure if this is unrelated, but if I'm on DHCP, how can I find out my IP address to have the machine accessible through tor? Or is static IP the (only) way to go?
– user942937
8 hours ago
@user942937 I'm not sure what you mean. Tor will do NAT holepunching automatically so as long as the server is connected to the internet, you should be fine.
– forest
8 hours ago
@user942937 If you always are going to use tor to connect to it, setup a tor hidden service on the machine, this way it gets an union domain name you can use to connect to it from the outside (without requiring static ip's or port forwarding), and since the name always stays the same, you are protected in the way the answer describes when comparing the host keys)
– Ferrybig
6 hours ago
1
It may be worth pointing out that if using public key authentication one should not forget to disable password authentication completely in order to reduce the attack surface.
– zakinster
5 hours ago
"The only remaining attack would be a man-in-the-middle attack." this can also be mitigated with DNSSSHFP
records and, maybe, if you are using certificates and not just keys with DANE and DNSTLSA
records. In both cases the zone needs to be DNSSEC enabled.
– Patrick Mevzek
16 mins ago
add a comment |
Hi. Thanks for answering. I'm not sure if this is unrelated, but if I'm on DHCP, how can I find out my IP address to have the machine accessible through tor? Or is static IP the (only) way to go?
– user942937
8 hours ago
@user942937 I'm not sure what you mean. Tor will do NAT holepunching automatically so as long as the server is connected to the internet, you should be fine.
– forest
8 hours ago
@user942937 If you always are going to use tor to connect to it, setup a tor hidden service on the machine, this way it gets an union domain name you can use to connect to it from the outside (without requiring static ip's or port forwarding), and since the name always stays the same, you are protected in the way the answer describes when comparing the host keys)
– Ferrybig
6 hours ago
1
It may be worth pointing out that if using public key authentication one should not forget to disable password authentication completely in order to reduce the attack surface.
– zakinster
5 hours ago
"The only remaining attack would be a man-in-the-middle attack." this can also be mitigated with DNSSSHFP
records and, maybe, if you are using certificates and not just keys with DANE and DNSTLSA
records. In both cases the zone needs to be DNSSEC enabled.
– Patrick Mevzek
16 mins ago
Hi. Thanks for answering. I'm not sure if this is unrelated, but if I'm on DHCP, how can I find out my IP address to have the machine accessible through tor? Or is static IP the (only) way to go?
– user942937
8 hours ago
Hi. Thanks for answering. I'm not sure if this is unrelated, but if I'm on DHCP, how can I find out my IP address to have the machine accessible through tor? Or is static IP the (only) way to go?
– user942937
8 hours ago
@user942937 I'm not sure what you mean. Tor will do NAT holepunching automatically so as long as the server is connected to the internet, you should be fine.
– forest
8 hours ago
@user942937 I'm not sure what you mean. Tor will do NAT holepunching automatically so as long as the server is connected to the internet, you should be fine.
– forest
8 hours ago
@user942937 If you always are going to use tor to connect to it, setup a tor hidden service on the machine, this way it gets an union domain name you can use to connect to it from the outside (without requiring static ip's or port forwarding), and since the name always stays the same, you are protected in the way the answer describes when comparing the host keys)
– Ferrybig
6 hours ago
@user942937 If you always are going to use tor to connect to it, setup a tor hidden service on the machine, this way it gets an union domain name you can use to connect to it from the outside (without requiring static ip's or port forwarding), and since the name always stays the same, you are protected in the way the answer describes when comparing the host keys)
– Ferrybig
6 hours ago
1
1
It may be worth pointing out that if using public key authentication one should not forget to disable password authentication completely in order to reduce the attack surface.
– zakinster
5 hours ago
It may be worth pointing out that if using public key authentication one should not forget to disable password authentication completely in order to reduce the attack surface.
– zakinster
5 hours ago
"The only remaining attack would be a man-in-the-middle attack." this can also be mitigated with DNS
SSHFP
records and, maybe, if you are using certificates and not just keys with DANE and DNS TLSA
records. In both cases the zone needs to be DNSSEC enabled.– Patrick Mevzek
16 mins ago
"The only remaining attack would be a man-in-the-middle attack." this can also be mitigated with DNS
SSHFP
records and, maybe, if you are using certificates and not just keys with DANE and DNS TLSA
records. In both cases the zone needs to be DNSSEC enabled.– Patrick Mevzek
16 mins ago
add a comment |
The existing answer written by forest details the security of the SSH/Tor side of things (quite secure if set up correctly), so I won't rehash that here.
I notice that you're asking mainly about client-side security ("can someone interfere with my browser?"), but I would say that server-side security ("can someone use my website/program without permission?") is also a quite important consideration when setting up a web-based program management interface.
There is potentially a very large risk to having a sensitive webpage open to the whole internet, so you really DO need to use some sort of security measure on the webserver side - it could be a Tor authorized hidden service, as forest describes, or some other method of securing the site against random hackers.
Hypothetical scenario: suppose that you had a webserver running on HTTP (as it's not clear if you're using Tor for hidden services or as a form of proxy software). Let's say you've got /index.php
on there with a link to /my_program_interface.php
, and for "safety's" sake, let's also put that on port 8080, with no domain name, but other than that, you allow it to accept connections from anyone. Well, if anyone ever finds out that you've got a webserver there (and with IPv4, a full network scan is feasible, so your webserver could be discovered), all they'd have to do is to type http://[your_ip_here]/index.php
into a normal off-the-shelf browser, and then they have exactly as much control over your program as you do.
In other words: don't forget that that server-side authorization checks are important, along with client-side privacy checks!
add a comment |
The existing answer written by forest details the security of the SSH/Tor side of things (quite secure if set up correctly), so I won't rehash that here.
I notice that you're asking mainly about client-side security ("can someone interfere with my browser?"), but I would say that server-side security ("can someone use my website/program without permission?") is also a quite important consideration when setting up a web-based program management interface.
There is potentially a very large risk to having a sensitive webpage open to the whole internet, so you really DO need to use some sort of security measure on the webserver side - it could be a Tor authorized hidden service, as forest describes, or some other method of securing the site against random hackers.
Hypothetical scenario: suppose that you had a webserver running on HTTP (as it's not clear if you're using Tor for hidden services or as a form of proxy software). Let's say you've got /index.php
on there with a link to /my_program_interface.php
, and for "safety's" sake, let's also put that on port 8080, with no domain name, but other than that, you allow it to accept connections from anyone. Well, if anyone ever finds out that you've got a webserver there (and with IPv4, a full network scan is feasible, so your webserver could be discovered), all they'd have to do is to type http://[your_ip_here]/index.php
into a normal off-the-shelf browser, and then they have exactly as much control over your program as you do.
In other words: don't forget that that server-side authorization checks are important, along with client-side privacy checks!
add a comment |
The existing answer written by forest details the security of the SSH/Tor side of things (quite secure if set up correctly), so I won't rehash that here.
I notice that you're asking mainly about client-side security ("can someone interfere with my browser?"), but I would say that server-side security ("can someone use my website/program without permission?") is also a quite important consideration when setting up a web-based program management interface.
There is potentially a very large risk to having a sensitive webpage open to the whole internet, so you really DO need to use some sort of security measure on the webserver side - it could be a Tor authorized hidden service, as forest describes, or some other method of securing the site against random hackers.
Hypothetical scenario: suppose that you had a webserver running on HTTP (as it's not clear if you're using Tor for hidden services or as a form of proxy software). Let's say you've got /index.php
on there with a link to /my_program_interface.php
, and for "safety's" sake, let's also put that on port 8080, with no domain name, but other than that, you allow it to accept connections from anyone. Well, if anyone ever finds out that you've got a webserver there (and with IPv4, a full network scan is feasible, so your webserver could be discovered), all they'd have to do is to type http://[your_ip_here]/index.php
into a normal off-the-shelf browser, and then they have exactly as much control over your program as you do.
In other words: don't forget that that server-side authorization checks are important, along with client-side privacy checks!
The existing answer written by forest details the security of the SSH/Tor side of things (quite secure if set up correctly), so I won't rehash that here.
I notice that you're asking mainly about client-side security ("can someone interfere with my browser?"), but I would say that server-side security ("can someone use my website/program without permission?") is also a quite important consideration when setting up a web-based program management interface.
There is potentially a very large risk to having a sensitive webpage open to the whole internet, so you really DO need to use some sort of security measure on the webserver side - it could be a Tor authorized hidden service, as forest describes, or some other method of securing the site against random hackers.
Hypothetical scenario: suppose that you had a webserver running on HTTP (as it's not clear if you're using Tor for hidden services or as a form of proxy software). Let's say you've got /index.php
on there with a link to /my_program_interface.php
, and for "safety's" sake, let's also put that on port 8080, with no domain name, but other than that, you allow it to accept connections from anyone. Well, if anyone ever finds out that you've got a webserver there (and with IPv4, a full network scan is feasible, so your webserver could be discovered), all they'd have to do is to type http://[your_ip_here]/index.php
into a normal off-the-shelf browser, and then they have exactly as much control over your program as you do.
In other words: don't forget that that server-side authorization checks are important, along with client-side privacy checks!
answered 6 hours ago
Ethan Kaminski
2,7461819
2,7461819
add a comment |
add a comment |
It depends what you mean by secure enough.
Security does not exist without a threat model, as time-travelling, mind-reading gods can defeat any system you make.
If this is a simple utility, then the chances of someone burning a 0day for ssh on your sever is minimal, since there are simply better targets, and it wouldn't be worth the time and effort.
However, if you plan on running a system to co-ordinate a giant criminal empire behind the site, you should expect that a large intellegence agency can track the tor traffic back to you box, either by using an attack on the Tor network, or by simple rubber-hose cryptography:
However, even if your system is theoretically secure enough, there is the human element: you can never be 100% sure that you have set it up correctly, and so it may be trivial to hack.
A very important rule for security is to expect that your system will be broken at some point. A large part of the design of a secure system is making sure that when it is broken, it doesn't cause too much damage. To that end, I would suggest something like a docker image, so that you can easily scrub it if it does get broken into.
If the actual cryptography behind ssh was broken, you should be more worried about collecting canned goods, as an economic collapse would occur that would make the Great Depression look like the Slightly Sad, as any secure web traffic could be decrypted with a simple MitM (passwords, server certificates, bank details, etc.), and massive botnets of hacked servers would assault any and all internet-facing servers, effectively killing the information age, and turning the internet into a battleground.
New contributor
Shell shock didnt cause a new age great depression did it?
– user6858980
2 hours ago
@user6858980 That's because shell shock only targeted one program, bash, which is rarely publicly reachable. Even if someone found a bug in apache or nginx that gave arbitrary code execution as root (the worst feasible case), the level of sandboxing on most big websites would keep it safe, and it would be patched. This is in stark contrast to the very concept of public-key encryption being wrong, which would be as unpatchable as1 + 1 = 2
– Cyclic3
1 hour ago
add a comment |
It depends what you mean by secure enough.
Security does not exist without a threat model, as time-travelling, mind-reading gods can defeat any system you make.
If this is a simple utility, then the chances of someone burning a 0day for ssh on your sever is minimal, since there are simply better targets, and it wouldn't be worth the time and effort.
However, if you plan on running a system to co-ordinate a giant criminal empire behind the site, you should expect that a large intellegence agency can track the tor traffic back to you box, either by using an attack on the Tor network, or by simple rubber-hose cryptography:
However, even if your system is theoretically secure enough, there is the human element: you can never be 100% sure that you have set it up correctly, and so it may be trivial to hack.
A very important rule for security is to expect that your system will be broken at some point. A large part of the design of a secure system is making sure that when it is broken, it doesn't cause too much damage. To that end, I would suggest something like a docker image, so that you can easily scrub it if it does get broken into.
If the actual cryptography behind ssh was broken, you should be more worried about collecting canned goods, as an economic collapse would occur that would make the Great Depression look like the Slightly Sad, as any secure web traffic could be decrypted with a simple MitM (passwords, server certificates, bank details, etc.), and massive botnets of hacked servers would assault any and all internet-facing servers, effectively killing the information age, and turning the internet into a battleground.
New contributor
Shell shock didnt cause a new age great depression did it?
– user6858980
2 hours ago
@user6858980 That's because shell shock only targeted one program, bash, which is rarely publicly reachable. Even if someone found a bug in apache or nginx that gave arbitrary code execution as root (the worst feasible case), the level of sandboxing on most big websites would keep it safe, and it would be patched. This is in stark contrast to the very concept of public-key encryption being wrong, which would be as unpatchable as1 + 1 = 2
– Cyclic3
1 hour ago
add a comment |
It depends what you mean by secure enough.
Security does not exist without a threat model, as time-travelling, mind-reading gods can defeat any system you make.
If this is a simple utility, then the chances of someone burning a 0day for ssh on your sever is minimal, since there are simply better targets, and it wouldn't be worth the time and effort.
However, if you plan on running a system to co-ordinate a giant criminal empire behind the site, you should expect that a large intellegence agency can track the tor traffic back to you box, either by using an attack on the Tor network, or by simple rubber-hose cryptography:
However, even if your system is theoretically secure enough, there is the human element: you can never be 100% sure that you have set it up correctly, and so it may be trivial to hack.
A very important rule for security is to expect that your system will be broken at some point. A large part of the design of a secure system is making sure that when it is broken, it doesn't cause too much damage. To that end, I would suggest something like a docker image, so that you can easily scrub it if it does get broken into.
If the actual cryptography behind ssh was broken, you should be more worried about collecting canned goods, as an economic collapse would occur that would make the Great Depression look like the Slightly Sad, as any secure web traffic could be decrypted with a simple MitM (passwords, server certificates, bank details, etc.), and massive botnets of hacked servers would assault any and all internet-facing servers, effectively killing the information age, and turning the internet into a battleground.
New contributor
It depends what you mean by secure enough.
Security does not exist without a threat model, as time-travelling, mind-reading gods can defeat any system you make.
If this is a simple utility, then the chances of someone burning a 0day for ssh on your sever is minimal, since there are simply better targets, and it wouldn't be worth the time and effort.
However, if you plan on running a system to co-ordinate a giant criminal empire behind the site, you should expect that a large intellegence agency can track the tor traffic back to you box, either by using an attack on the Tor network, or by simple rubber-hose cryptography:
However, even if your system is theoretically secure enough, there is the human element: you can never be 100% sure that you have set it up correctly, and so it may be trivial to hack.
A very important rule for security is to expect that your system will be broken at some point. A large part of the design of a secure system is making sure that when it is broken, it doesn't cause too much damage. To that end, I would suggest something like a docker image, so that you can easily scrub it if it does get broken into.
If the actual cryptography behind ssh was broken, you should be more worried about collecting canned goods, as an economic collapse would occur that would make the Great Depression look like the Slightly Sad, as any secure web traffic could be decrypted with a simple MitM (passwords, server certificates, bank details, etc.), and massive botnets of hacked servers would assault any and all internet-facing servers, effectively killing the information age, and turning the internet into a battleground.
New contributor
New contributor
answered 7 hours ago
Cyclic3
1313
1313
New contributor
New contributor
Shell shock didnt cause a new age great depression did it?
– user6858980
2 hours ago
@user6858980 That's because shell shock only targeted one program, bash, which is rarely publicly reachable. Even if someone found a bug in apache or nginx that gave arbitrary code execution as root (the worst feasible case), the level of sandboxing on most big websites would keep it safe, and it would be patched. This is in stark contrast to the very concept of public-key encryption being wrong, which would be as unpatchable as1 + 1 = 2
– Cyclic3
1 hour ago
add a comment |
Shell shock didnt cause a new age great depression did it?
– user6858980
2 hours ago
@user6858980 That's because shell shock only targeted one program, bash, which is rarely publicly reachable. Even if someone found a bug in apache or nginx that gave arbitrary code execution as root (the worst feasible case), the level of sandboxing on most big websites would keep it safe, and it would be patched. This is in stark contrast to the very concept of public-key encryption being wrong, which would be as unpatchable as1 + 1 = 2
– Cyclic3
1 hour ago
Shell shock didnt cause a new age great depression did it?
– user6858980
2 hours ago
Shell shock didnt cause a new age great depression did it?
– user6858980
2 hours ago
@user6858980 That's because shell shock only targeted one program, bash, which is rarely publicly reachable. Even if someone found a bug in apache or nginx that gave arbitrary code execution as root (the worst feasible case), the level of sandboxing on most big websites would keep it safe, and it would be patched. This is in stark contrast to the very concept of public-key encryption being wrong, which would be as unpatchable as
1 + 1 = 2
– Cyclic3
1 hour ago
@user6858980 That's because shell shock only targeted one program, bash, which is rarely publicly reachable. Even if someone found a bug in apache or nginx that gave arbitrary code execution as root (the worst feasible case), the level of sandboxing on most big websites would keep it safe, and it would be patched. This is in stark contrast to the very concept of public-key encryption being wrong, which would be as unpatchable as
1 + 1 = 2
– Cyclic3
1 hour ago
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200792%2fis-ssh-with-pki-and-without-a-password-secure-enough%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
5
To verify, you mean "ssh using key-based authentication" (or some such), and NOT "ssh without a password", right? If so, it would be worth editing the title to match. I won't do so without having verified your intent, though (since to me, that subtle wording change carries a significant difference in intent and risk).
– Ethan Kaminski
7 hours ago
1
Actually, scratch that, I didn't quite read far enough (read it too quickly). Further question, for clarification: you've got an externally-accessible webpage, right? Or are you making the HTTP request on localhost (and/or another LAN address)? That's also going to be a relevant detail, moreso than the SSH itself.
– Ethan Kaminski
7 hours ago
Yup. Two machines: one with the externally-accessible webpage and another used for ssh-tunneling. Unless there's a way to have them both on just one machine.
– user942937
7 hours ago
That would be FAR safer to set up that way, yes. Let me type up an answer about that, since the current answer only seems to cover the SSH/Tor side of things, without detailing the risks of having an admin-y panel served by a webserver open to the whole internet.
– Ethan Kaminski
7 hours ago
If that automated login is only for port forwarding you can use a user which does not allow shell access. While key based authentication is very strong the key on the client side is the weakness, so limiting reach can additionally mitigate risks.
– eckes
4 hours ago