You are not logged in.
- Topics: Active | Unanswered
#1 2018-03-25 04:52:11
- LeftyAce
- Member
- Registered: 2012-08-18
- Posts: 159
Which parts of a command passed over ssh are protected?
Hi all,
I would like to be able to unlock and mount an encrypted volume on a remote server through ssh. I'd like to be able to do it without logging into an interactive session to type the password for the encrypted volume.
I have public key authentication set up for ssh, and for an encrypted volume with password "password1" I can successfully do the following:
ssh backup-server 'echo password1 | /home/lefty/Scripts/unlockBackupFolder'The script "unlockBackupFolder" runs cryptsetup to unlock and then mounts the volume where I want it.
My question is, if I run this over the internet, is the password exposed? Or is that whole command string protected by SSH? Is there a better way to do this? I don't want to store any encryption keys on the remote server, they should only be on my local machine.
Thanks,
Lefty
Offline
#2 2018-03-25 05:28:50
- eschwartz
- Fellow
- Registered: 2014-08-08
- Posts: 4,097
Re: Which parts of a command passed over ssh are protected?
ssh may protect the transport used to connect to the machine, but the password is still visible in `ps` or `htop` on the local *and* remote machines in the event that the remote server was actually compromised...
Of course, you can always connect the stdout on your local machine to the stdin on the remote, rather than running both on the remote. Or upgrade to something that is actually designed to keep secrets safe on a different machine than the one using them. The most obvious solution that springs to mind is gpg and its socket forwarding support, but I'm sure there are lots of others.
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline