subject:"Re\: How about ssh certificates \(was\: Re\: ssh\-agent\: I want to start using on all my remote hosts\)"

Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

2022-06-03 Thread rhkramer

Ahh, thanks Greg, I can now see those missing parts of the article -- it was 
NoScript, but, seeing most of the graphics in the article, somehow NoScript 
didn't come to mind as the cause of the problem.



On Friday, June 03, 2022 02:29:45 PM Greg Wooledge wrote:
> On Fri, Jun 03, 2022 at 01:16:45PM -0500, Tom Browder wrote:
> This happens ALL THE TIME when I use NoScript.
> 
> > I briefly looked at the article and didn't notice anything missing. Maybe
> > if you could take some screen shots in those areas we could help.
> 
> The first one I found is after this sentence:
> 
>   Copy it to a file on CA server and run the command:
> 
> NoScript initially reports 3 domains:
> 
>   betterprogramming.pub
>   cloudflareinsights.com
>   medium.com
> 
> Telling NoScript to Temp.Trust all 3 of these domains fixes this one
> (for me).  And once I do that, NoScript now reports that there are 7
> domains.  One of them (github.com) is already trusted, so you might need
> that one as well -- I don't know.
> 
> I'm sure you're used to this, if you're a NoScript user.

Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

2022-06-03 Thread Tom Browder

On Fri, Jun 3, 2022 at 13:46  wrote:

> On Friday, June 03, 2022 02:16:45 PM Tom Browder wrote:
> > I briefly looked at the article and didn't notice anything missing. Maybe
> > if you could take some screen shots in those areas we could help.
>
> Thanks for the reply, and thanks, I'll do that.
>
> I guess you intentionally replied off list, but that means I can attach
> some
> screen shots without worrying about whether that violates a list policy.


Hm, no I don't see that I replied off list, maybe you're having a browser
problem of some kind as you hinted.

-Tom

Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

2022-06-03 Thread David Christensen


On 6/3/22 08:46, rhkra...@gmail.com wrote:

On Friday, June 03, 2022 10:43:53 AM Tom Browder wrote:

I have been using ssh for logging in to my remote hosts for many years, but
I have NOT been using ssh-agent.


I'm intentionally not addressing your specific questions.

For me, your post is rather timely, because I'm digging into ssh and was
trying to understand the different methods of authentication and trying to
decide what was best for me.  (I have a SOHO with up to 5 nodes at time (right
now only 3.)

 From some of my reading, ssh certificates seem to be highly recommended,
although it has seemed difficult for me to get all the details I want.

The best resource I've found so far is:

https://betterprogramming.pub/how-to-use-ssh-certificates-for-scalable-secure-
and-more-transparent-server-access-720a87af6617?gi=8a3ac1f658bc

One problem with that article is that it seems that there are about 3 blanks
in it where, for example, the text mentions something like ~"use this command"
and then there is a big blank spot.  (I've tried viewing the page in 2 to 4
different browsers, depending on how you count them -- some older versions of
firefox, a fairly recent version of firefox, and an older version of konqueror).

I've looked for a way to contact the author but haven't found anything so far.

Some of the advantages of certificates are (iiuc):

* maybe a simpler setup, after you understand how to do it

* easier to manage the keys / authentication (specifically, if you need to
revoke permissions for a user you can do it in one place

* apparently the security can be somewhat better (maybe a result of the
previous bullet, but I think some other things as well)

* you can make the transition gradually -- you can keep the "old" public
key authentication in place (and continue to use it when, where, and if
needed) while you transition some server(s) and user(s) to certificates.

I thought I'd call your attention to this for your consideration -- perhaps
with both of us investigating and asking questions as needed, we both might
make quicker progress.

In any event, have a good day!



"Public key infrastructure" is large and complex; I am still climbing a 
subset of its many learning curves.



I own and recommend "TLS Mastery" by Michael W. Lucas:

https://mwl.io/nonfiction/networking#tls


David

Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

2022-06-03 Thread Greg Wooledge

On Fri, Jun 03, 2022 at 01:16:45PM -0500, Tom Browder wrote:
> On Fri, Jun 3, 2022 at 10:46  wrote:
> > 
> >
> > One problem with that article is that it seems that there are about 3
> > blanks
> > in it where, for example, the text mentions something like ~"use this
> > command"
> > and then there is a big blank spot.

This happens ALL THE TIME when I use NoScript.

> I briefly looked at the article and didn't notice anything missing. Maybe
> if you could take some screen shots in those areas we could help.

The first one I found is after this sentence:

  Copy it to a file on CA server and run the command:

NoScript initially reports 3 domains:

  betterprogramming.pub
  cloudflareinsights.com
  medium.com

Telling NoScript to Temp.Trust all 3 of these domains fixes this one
(for me).  And once I do that, NoScript now reports that there are 7
domains.  One of them (github.com) is already trusted, so you might need
that one as well -- I don't know.

I'm sure you're used to this, if you're a NoScript user.

Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

2022-06-03 Thread Tom Browder

On Fri, Jun 3, 2022 at 10:46  wrote:

> On Friday, June 03, 2022 10:43:53 AM Tom Browder wrote:
> > I have been using ssh for logging in to my remote hosts for many years,
> but
> > I have NOT been using ssh-agent.
>
> I'm intentionally not addressing your specific questions.
>
> For me, your post is rather timely, because I'm digging into ssh and was
> trying to understand the different methods of authentication and trying to
> decide what was best for me.  (I have a SOHO with up to 5 nodes at time
> (right
> now only 3.)
>
> From some of my reading, ssh certificates seem to be highly recommended,
> although it has seemed difficult for me to get all the details I want.
>
> The best resource I've found so far is:


I remember seeing that in the past. Note when I started my
https://usafa-1965.org website in 2010 I plunged into creating ssl
certificates for my classmates to log in painlessly. But it was a pain for
me, although I built my CA with a hand-coded Perl set of programs which
helped immensely. There are now better CA solutions (open source ones,
too), but for my purposes I think the ssh-agent will be easier.

https://betterprogramming.pub/how-to-use-ssh-certificates-for-scalable-secure-
> and-more-transparent-server-access-720a87af6617?gi=8a3ac1f658bc
> 
>
> One problem with that article is that it seems that there are about 3
> blanks
> in it where, for example, the text mentions something like ~"use this
> command"
> and then there is a big blank spot.  (I've tried viewing the page in 2 to
> 4
> different browsers, depending on how you count them -- some older versions
> of
> firefox, a fairly recent version of firefox, and an older version of
> konqueror).


I briefly looked at the article and didn't notice anything missing. Maybe
if you could take some screen shots in those areas we could help.

-Tom

Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

5 matches

Site Navigation

Mail list logo

Footer information