Working at a client's site I used to take my laptop with me in case I needed a rootshell on one of my servers. These times are gone, thanks to a little tool made by bitvise.com. Dr. Chris Brown pointed me in the right direction writing about this tool in his revealing and always well-written column in the Linux Format magazine. Essentially, the new tool called tunnelier, is a mature and stable ssh client for Windows. So I grabbed an empty memory stick and downloaded tunnelier. Running the exe file for the first time I decided to extract the software onto the memory key and put my encrypted ssh secret key on the stick too. Before you can use a secret key for authentication you have to import it into the software.

It was a matter of less than a minute to be greeted with the root shell of my server on the Windows system, all necessary software stored on a memory key. In addition to the terminal window on the server a graphical SFTP client pops up as well so you can safely upload some files that need to be on your server. This is excellent.

As you'd expect this program comes with a proprietary license (personal use is still free) and it's not open source. But it is a valuable tool to bridge the Windows and Unix worlds if you are on the move.

The terms of license allow for a number of 4 individuals to use the ssh client free of charge before you'll need to purchase an extended license for all users in a given environment.

Before you head off with your new ssh stick to your nearest Windows computer a word of caution may be appropriate. As we know, these operating systems are prone to attract all kinds of malware if they are not properly secured. So there is a real risk to lose your secret key to an adversary, if say a keylogger is in action on the machine you use to bridge the worlds. Because you'll never know if your host's Windows is compromised or not, it's prudent to place another layer of protection between the host and your linux server. Don't use a secret key on your ssh stick that will open the doors to your high-security linux servers. Today, there are all sorts of servers on the internet. For some of them, the low-security servers, it would be a nuicance if someone broke into it and gained a root shell. But there are others where security really matters and which have to be protected at all costs, or at least with a reasonable amount of effort, to make sure no unauthorized person will lay their hands on the high-security server.

To make good use of your ssh stick, you can put a low-security server as a relay between the windows host and your high-security servers. In case your windows host is compromised, the security of your ssh stick is gone, because the adversary has learned the passphrase you are using to protect the secret key on the stick. If that happens, the adversary is in an even better position than the one who steals your laptop, because the high-security secret keys on your laptop are still protected with an unknown passphrase. As the adversary now can log into your low-security server, it is useful to configure the root login to send out an email to indicate a successful root login on that server. Although the adversary can now change the system, he cannot prevent the email being out the door irretrievably on his first break-in. So you're warned if you receive such an email without you having logged into your server.

Just make sure, that your high-security ssh keys stored on your low-security server are protected with a different passphrase.

And keep an eye on your email.

• about me
• contact
• open source
• linux
• research
• documentation
• Cryptlib
• Cryptlib Tools

•  
• Archive
• 2013
• 2014
• 2015
• 2016
• 2022
•