We have a rails app that needs to ssh to a remote server (unix) and do some command line stuff. I don't know a lot about security, so looking for advice. Currently, the controller receives a submit from the view, with a password in the params hash (not hashed, or anything). Then we use Net::SSH gem to ssh to the remote server and do stuff. This seems all kinds of un-safe. Our thoughts were:
OR
OR
Any links to articles or explanations, greatly appreciated. Thanks!
With public key authentication, you're just authenticating between your webserver and the server you're ssh'ing to. So if I understand your layout, then anyone who goes to the page doesn't need a password to get in. If you are passing a password via post, you can simply filter it from your logs with something like this
filter_parameter_logging :password
in your Application controller. Then its just being passed around in memory, not stored anywhere static. Though hashing and salting in the view via javascript and then decoding in the controller is probably still a good idea if you aren't using SSL. I'm certainly not going to recommend against an extra security measure that is fairly simple to implement...
Edit: Looks like the way to filter parameters in Rails 3 is
config.filter_parameters += [:password]
in config/application.rb
I would vote for your first option -- public key authentication. The fewer passwords that are required for people to know, the better. Unless your form is displayed with HTTPS (SSL) that password is somewhat insecure, and as @Scott S points out in his answer, it will indeed show up in unexpected places like logs, unless you filter it.
The most common way to set up public key authentication with ssh is to use a key having an empty passphrase. A more secure way may be to use ssh-agent
, as long as the servers themselves are well secured, (in particular, the private key of the requesting server) that's probably not necessary.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.