Page 1 of 1

Security issue with ssh keys

PostPosted: Thu Jan 28, 2016 11:35 pm
by paulr
3 issues listed below... The first is the security issue.

ISSUE 1: Your private key *should* be password protected. But this app *requires* that you save the passphrase *with* the private key (if you leave the passphrase blank, the connection never succeeds). That is poor security practice.

What should happen is that you should be required to enter the passphrase for the private key when you first try to use it, then the app should remember it for the session only. It should *never* save the passphrase or the unencrypted private key (which it is doing right now).

ISSUE 2: If you create a new key in the Key Manager, then select it and choose “Email”, a mail dialog appears. At that point, your bluetooth keyboard gets disabled! (you need to hit the “+” button and choose an email from your contacts).

ISSUE 3: In the Key Manager, the RSA keys created are only 1024 bits, and there is no option to increase that. 1024 bits hasn’t been a recommended key size since the 90s. Current recommendations (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf - see page 12) are 2048-3072 bits.

Instructions for creating longer private keys:
If you want to create longer keys, you can’t do it inside the app. And since the app only supports des3 for key encryption, you need to use openssl rather than ssh-keygen. The following command will do it:
Code: Select all
openssl genrsa -des3 -out privatekey 4096

“privatekey” is the file that you need to copy to your iPad, save to the clipboard and then import into Remoter.

Then you need to extract the public key to add to ~/.ssh/authorized_hosts on your server:
Code: Select all
ssh-keygen -y -f privatekey > privatekey.pub

Re: Security issue with ssh keys

PostPosted: Mon Feb 01, 2016 10:43 pm
by paulr
Thanks for that. Weirdly... My copy of remoter (Remoter Pro 1.8.03)
does not include the "Notifications" option mentioned in your link, and does not have any
option to send messages to the programmer.

So I've used email instead.
Cheers.
Paul

Re: Security issue with ssh keys

PostPosted: Tue Feb 02, 2016 3:26 am
by paulr
I mustn't grumble too much. Its a good app filling a void left by
the abandonware iSSH.

Cheers.
Paul.