CURL SSH Key passphrase safety

1
votes

I was just playing with the idea of using curl to scp/sftp some of my files over to a remote box and was wondering how exactly to keep my passphrase to my private keys safe if I can't use an ssh-agent and can only use the key files themselves. My knowledge is that there really isn't a way to do this but I am hoping that I am wrong about this.

Edit: More description

I have generated ssh keys to log into my remote box, I have put a passphrase on the key, I want to use this key to log into the remote box with libcurl and setting CURLOPT_SSH_PRIVATE_KEYFILE to the proper key file, however I would then have to set CURLOPT_KEYPASSWD because I set a passphrase, which from what I understand would have to just plain text and that just doesn't seem very secure to me. Maybe its a non-issue?

2
c++csshlibcurlprivate-key
Just being out for the public to see if they get my source code - csteifel
what source code? i think you should describe your scenario in more detail. - mnagel
Can you use ssh-copy-key once to store your ssh key and then just use key-based auth instead of password? - Avery

2 Answers

0
votes

If you want fully automated authentication then the authentication credentials must be stored somewhere.

Generally if you have root access to some machine then you can read anything including other people's private key files in their home directories.

For this reason pass phrases were introduced to encrypt those private key files on centralised storage. When you then mount a shared home directory on your own machine (on which presumably only you have root) it is safe to use the passphrase and decrypt it. The real key is then stored temporarily in memory (at which point theoretically root could access it).

If you use ssh-agent then it keeps your passphrase (needed to decrypt the keyfile) in memory which is erased on reboot and you need to reenter your passphrase.

Now if you need non interactive authentication with curl (or whatever else) then all information to get the decrypted keyfile needs to be on the machine somewhere. If you are the only one with root access to that machine then it is safe to store it without a passphrase.

If not... well then you won't get fully secure unless you wish to enter the passphrase on each access manually (and even then root could be nasty and ptrace your process to get the passphrase). In that case I suggest you put the passphrase file in volatile storage (/dev/shm for example) and deny everyone except yourself access. Root will still be able to read it though. This will need to be repeated on every reboot though.

0
votes

You could store your passphrase somewhere in an encrypted form. Read the encrypted passphrase from wherever you stored it, decrypt it, set CURLOPT_KEYPASSWD to the decrypted passphrase, use curl to access the remote box, then unset CURLOPT_KEYPASSWD

Still doesn't protect you from a really determined intruder, but it makes it annoying enough to keep casual intruders from trying.