Passwordless SSH without shared key?
by itsallgood from LinuxQuestions.org on (#4YJ5J)
Hi all,
Apologies for what is a novice question I am sure, wanted to bounce this logic off of someone more experienced.
I am setting up a web portal for several of our Linux servers using an open source software. This portal will give users access to all of our Linux servers from a web portal. Basically to be used as a one stop resource.
For some of the functions involved however I need to set up passwordless SSH. I know I can do this using a key pair, but is it possible to do this via iptables instead?
I would integrate key pairs but for the sake of simplicity I think I would rather see if I can do this via iptables. Otherwise to my knowledge each user will have to generate a key pair first before using the web portal and I think it might just create too much confusion and undermine the simplicity of the web portal, this is geared more toward beginner Linux users.
I don't think this will pose a security risk necessarily if I just allow passwordless SSH from the web portal IP on all of the destination servers. All of the servers being accessed by this web portal are part of the same security group as the web portal, so if they are not part of the security group they can't access the portal or the servers. So users will just need to supply their password one time to access the web portal then can jump to the servers, that's what I'm thinking anyway.
Can you see any flaws with this logic from a security basis? I guess if someone did gain unauthorized access to the web portal and then jumped to one of the other servers it wouldn't be a huge deal unless it was root. So I would need to be able to allow passwordless ssh on all accounts except root from this IP. Is this possible to allow via iptables for just one IP? I do need to keep password SSH enforced for everything else.
Many thanks.
Apologies for what is a novice question I am sure, wanted to bounce this logic off of someone more experienced.
I am setting up a web portal for several of our Linux servers using an open source software. This portal will give users access to all of our Linux servers from a web portal. Basically to be used as a one stop resource.
For some of the functions involved however I need to set up passwordless SSH. I know I can do this using a key pair, but is it possible to do this via iptables instead?
I would integrate key pairs but for the sake of simplicity I think I would rather see if I can do this via iptables. Otherwise to my knowledge each user will have to generate a key pair first before using the web portal and I think it might just create too much confusion and undermine the simplicity of the web portal, this is geared more toward beginner Linux users.
I don't think this will pose a security risk necessarily if I just allow passwordless SSH from the web portal IP on all of the destination servers. All of the servers being accessed by this web portal are part of the same security group as the web portal, so if they are not part of the security group they can't access the portal or the servers. So users will just need to supply their password one time to access the web portal then can jump to the servers, that's what I'm thinking anyway.
Can you see any flaws with this logic from a security basis? I guess if someone did gain unauthorized access to the web portal and then jumped to one of the other servers it wouldn't be a huge deal unless it was root. So I would need to be able to allow passwordless ssh on all accounts except root from this IP. Is this possible to allow via iptables for just one IP? I do need to keep password SSH enforced for everything else.
Many thanks.