SSH Profile Password Keyring

Asked by michelem on 2007-02-13

Is it possibile use gnome-terminal profiles like putty/secureCRT?
We only need the ability to add the server's ssh passwords to the default keyring, then when we call a profile with a particular command (something like ssh user@server) the password is put/get in/from the keyring.
What do you think?
thank you

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu gnome-terminal Edit question
Assignee:
No assignee Edit question
Solved by:
Ralph Janke
Solved:
Last query:
Last reply:
Paolo Sammicheli (xdatap1) said : #1

there's a better way. Take a look here:

https://help.ubuntu.com/community/AdvancedOpenSSH#head-f06532af79917a251e68c7ccf567cb5c399e0aba

you can generate an RSA key in your computer, export the public key in the server you want to login, then using ssh with that server the authentication is based to the key instead to the password. If you generate an RSA key without passfrase you don't have to digit anythings to login. Be careful because if someone stolen your key he can login on that server without any password, so set it with only user reading privilege and don't use it in a shared pc.

Ralph Janke (txwikinger) said : #2

I am not sure what what you like to do. Do you want to log into the server with ssh and authenticate via public key ?

Here is a summary of how to set this up:

http://sial.org/howto/openssh/publickey-auth/

michelem (michele-marcucci) said : #3

Thanks for your answers but unfortunately me like many others cannot add our RSA key to the servers, I know very well the ssh keys usage but we cannot use it on "company/office" servers, so we prefer have the servers's password saved in the gnome keyring or something similar.
Try to look at this: http://savannah.nongnu.org/projects/gnome-sshman/
it is a reasonable solution, but i'd prefer an integration with the existent gnome-terminal
Thank you

Ralph Janke (txwikinger) said : #4

I am not sure what you mean when you say you cannot add the RSA key to the server. You don't, you have only the public part of the rsa key on the server. the private one stays on your machine. If you connect to a server, you do it via ssh as I understand. So you have an account on the server, right? You should also have a home directory in which the .ssh directory goes into, right?

If you authenticate via keys, the public part always has to be on the server, otherwise you don't really use key authentication. Maybe you want to explain a little more about your current process.

I am not entirely sure sshman does what you seem to describe. There is not a lot of good documentation, but it seems to me, for it to work, you still must authenticate somehow... does sshman just store all the passwords and it is done via password authentication instead of key authentication?

Or does it assume anyway that you have set up proper public key authentication, and then only allows you to connect via mouse-click instead of entering the command?

michelem (michele-marcucci) said : #5

@txwikinger:

the problem is about company policy that doesnt let us save public key in our home directory so we CANNOT use ssh key (rsa, dsa, ecc...) and we have to use only password authentication.
So this is quite frustating because the servers are a lot and the users/passwords too (we havent only one user but also "group" users).

With sshman it's true I have to authenticate with password but I can save it in a keyring once and then forget the server password.

So i'm looking for something similar to sshman but integrated in gnome-terminal (i dont like have more software for same things) I think it will be useful for every system administrators.

This is the likely scenario:
You save the server profile in gnome-terminal with server name, host and user, once you click that profile it asks you your keyring password and the server password, so next time you click that profile you will be asked only for the keyring password (that's always the same and you know well)

Best Ralph Janke (txwikinger) said : #6

I am not aware of any implemented feature at this time, not that it would not be possible.

However, the majority of security expert at this time prefer private/public key authentication over passwords. I am not sure why your company's policy seem to allow a less secure method over the more secure one. Also if you would find such a feature, it should be made sure that the stored keyring is properly encrypted etc, however, this must be a symetric encryption and therefore is far easier to break.

Maybe someone needs to convince the deciding authorities in your company to rethink their security strategies.

michelem (michele-marcucci) said : #7

Thank you for your time, you are right company's policy sucks.