Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set up password-less access from internally #52

Open
KronosTheLate opened this issue Jun 14, 2023 · 1 comment
Open

Set up password-less access from internally #52

KronosTheLate opened this issue Jun 14, 2023 · 1 comment

Comments

@KronosTheLate
Copy link
Contributor

I just noticed that OpenSSH_jll defines the following:
image
which has me thinking - could we not add a passwordless connection from within this package? I realized I also had to use ssh-copy-id [email protected], which is not defined by OpenSSH_jll. But perhaps the defined ssh_agent could do this? Alternatively, it is also possible to run arbitrary commands via run, so this should be doable either way.

@c42f
Copy link
Collaborator

c42f commented Jun 23, 2023

We might be able to automate some setup and I welcome PRs to make this easier. Or just to document the process.

However, we can't entirely automate getting the user's public key to the remote machine in a secure way. To do this, the user needs a way to get the public key data onto that machine securely. Some examples of reasonable ways to do this:

  • Physically walking to that machine with a USB stick and copying the key
  • Copy the key data using SSH username and password login for the remote machine
  • Sending your public key to the admin of the remote machine via an email
  • Using a remote desktop protocol with username and password
  • etc etc

I'll never make RemoteREPL insecure by default, but any other type of PR which helps the user to set things up is great.

In certain situations it might be possible to automate some more things by using HTTPS as a transport instead of SSH and relying on the public key infrastructure which comes with that to identify the server to the client. This would also secure the link against MITM attacks, similar to what we get from SSH. However, it still wouldn't solve the problem of identifying clients to the server as trusted clients who are allowed to start a session. Requiring users to set up their SSH login solves both problems of secure transport and identifying trusted clients. See #25 for more about TLS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants