Is it really secure to connect to a server by SSH from hotels during a journey?
Is it really secure to connect to a server using SSH from hotels during a journey?
Server:
- CentOS 7
- Authorisation only by RSA key - password auth is denied
- Non-standard port
Workstation:
- Ubuntu 14
- user password
- password to use RSA key (standard method)
Maybe it will be a good idea to keep half of the private RSA key on a USB stick, and automatically (by script) add this half to ~/.ssh/private_key before connecting?
Internet will be through either WIFI in hotels, or cable in a rented apartment.
UPD
Sorry for being unclear at first. I mean security in two aspects here:
- Security of just the SSH connection through an untrusted network.
- Security of a computer with the key necessary for the SSH connection - if it is stolen, how to protect the server...
So, regarding making an ssh connection over an explicitly untrusted connection.
Assuming you already have an ~/.ssh/known_hosts entry from a previous connection, yes you should be able to connect without worrying about whatever the network is safe or not. The same goes if you have some other means of verifying the ssh host key.
If you have never connected to the server before, nor having any other way of verifying the ssh host key, then you might want be more careful regarding the network you use to connect.
In the second part of your question you seem to be worried about your notebook being stolen and, with it, your private-keys for your password-less SSH login to your servers.
Please note that this can easily be solved (the private keys issue) by storing private keys "encrypted" with a "passphrase": they can be encrypted initially, while generating with the ssh-keygen utility, by providing a passphrase at the end of the generation process or, if you already have them unencripted, using the ssh-keygen utility with -p option. Once the key is encrypted, at every login you're asked to enter the related passphrase and.... if correct, everything will proceed normally.
Also, if you don't want to enter the passphrase every time you launch the ssh client, you can use the ssh-agent: it can keep track, in memory, of unencrypted private keys. You can simply run ssh-add pointing to the file holding the encrypted key and, after asking for the passphrase, the key is added to the set managed by the ssh-agent. Afterwards, every time the SSH client require a passphrase-protected key, the ssh-agent transparently provide the related unencrypted private-key to the ssh client. So, for you, it's not needed to enter it interactively.
Please note that ssh-agent can manage plenty of keys, and obviously you can "tune" your notebook/desktop to launch the ssh-add utility (to populate the ssh-agent set of keys) at login/startup time.
Also, should someone steal your laptop, your private-keys are probably not the only "sensitive" content you're going to give out: please note that with today's Linux desktop distributions it's VERY easy to set-up a notebook relying on "encrypted" file system (the /home as a starter, but the whole / if needed). So, please, consider this also.
All of the above, obviously, does NOT apply if you DON'T rely on YOUR OWN notebook.
P.S.: as for your possibility to store the two halves of the unencrypted private key on different mediums: I strongly advice you not to do this, as maintaining the two pieces of sensitive content in an unencrypted form is much, much worse, than keeping two full copies of the whole content, encrypted!
The first part of your question is already answered by previous response. As per your second part, I would recommend to add a second factor to your ssh login using pam_google_authenticator. It is is fairly easy setup and configure on any distro. In the case where the private key you are carrying around is stolen, they can't login to your server w/ out the TOTP onetime password from google-authenticator.
https://www.howtoforge.com/tutorial/secure-ssh-with-google-authenticator-on-centos-7