Security issue with ssh keys
Posted: Thu Jan 28, 2016 11:35 pm3 issues listed below... The first is the security issue.
ISSUE 1: Your private key *should* be password protected. But this app *requires* that you save the passphrase *with* the private key (if you leave the passphrase blank, the connection never succeeds). That is poor security practice.
What should happen is that you should be required to enter the passphrase for the private key when you first try to use it, then the app should remember it for the session only. It should *never* save the passphrase or the unencrypted private key (which it is doing right now).
ISSUE 2: If you create a new key in the Key Manager, then select it and choose “Email”, a mail dialog appears. At that point, your bluetooth keyboard gets disabled! (you need to hit the “+” button and choose an email from your contacts).
ISSUE 3: In the Key Manager, the RSA keys created are only 1024 bits, and there is no option to increase that. 1024 bits hasn’t been a recommended key size since the 90s. Current recommendations (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf - see page 12) are 2048-3072 bits.
Instructions for creating longer private keys:
If you want to create longer keys, you can’t do it inside the app. And since the app only supports des3 for key encryption, you need to use openssl rather than ssh-keygen. The following command will do it:
“privatekey” is the file that you need to copy to your iPad, save to the clipboard and then import into Remoter.
Then you need to extract the public key to add to ~/.ssh/authorized_hosts on your server:
ISSUE 1: Your private key *should* be password protected. But this app *requires* that you save the passphrase *with* the private key (if you leave the passphrase blank, the connection never succeeds). That is poor security practice.
What should happen is that you should be required to enter the passphrase for the private key when you first try to use it, then the app should remember it for the session only. It should *never* save the passphrase or the unencrypted private key (which it is doing right now).
ISSUE 2: If you create a new key in the Key Manager, then select it and choose “Email”, a mail dialog appears. At that point, your bluetooth keyboard gets disabled! (you need to hit the “+” button and choose an email from your contacts).
ISSUE 3: In the Key Manager, the RSA keys created are only 1024 bits, and there is no option to increase that. 1024 bits hasn’t been a recommended key size since the 90s. Current recommendations (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf - see page 12) are 2048-3072 bits.
Instructions for creating longer private keys:
If you want to create longer keys, you can’t do it inside the app. And since the app only supports des3 for key encryption, you need to use openssl rather than ssh-keygen. The following command will do it:
- Code: Select all
openssl genrsa -des3 -out privatekey 4096
“privatekey” is the file that you need to copy to your iPad, save to the clipboard and then import into Remoter.
Then you need to extract the public key to add to ~/.ssh/authorized_hosts on your server:
- Code: Select all
ssh-keygen -y -f privatekey > privatekey.pub