Is ssh without a password secure enough?












5














I have a web server setup and would like to connect to it from outside using Tor.
The web server simply serves up a simple webpage that will act as an interface for a program running on the machine.
It is not meant to be accessible by anyone else.



If I set up another computer with SSH and set to login using SSH keys to act as an SSH tunnel, is this secure enough from most attackers?



With the SSH tunnel and Tor in place, is there a reason to use SSL or is all this secure enough?
What possible attacks are still possible and how do I defend against them?






ssh







share|improve this question





























    5














    I have a web server setup and would like to connect to it from outside using Tor.
    The web server simply serves up a simple webpage that will act as an interface for a program running on the machine.
    It is not meant to be accessible by anyone else.



    If I set up another computer with SSH and set to login using SSH keys to act as an SSH tunnel, is this secure enough from most attackers?



    With the SSH tunnel and Tor in place, is there a reason to use SSL or is all this secure enough?
    What possible attacks are still possible and how do I defend against them?






    ssh







    share|improve this question



























      5












      5








      5


      1





      I have a web server setup and would like to connect to it from outside using Tor.
      The web server simply serves up a simple webpage that will act as an interface for a program running on the machine.
      It is not meant to be accessible by anyone else.



      If I set up another computer with SSH and set to login using SSH keys to act as an SSH tunnel, is this secure enough from most attackers?



      With the SSH tunnel and Tor in place, is there a reason to use SSL or is all this secure enough?
      What possible attacks are still possible and how do I defend against them?






      ssh







      share|improve this question















      I have a web server setup and would like to connect to it from outside using Tor.
      The web server simply serves up a simple webpage that will act as an interface for a program running on the machine.
      It is not meant to be accessible by anyone else.



      If I set up another computer with SSH and set to login using SSH keys to act as an SSH tunnel, is this secure enough from most attackers?



      With the SSH tunnel and Tor in place, is there a reason to use SSL or is all this secure enough?
      What possible attacks are still possible and how do I defend against them?






      ssh




      ssh






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 37 mins ago









      forest

      32.5k15104110




      32.5k15104110










      asked 2 hours ago









      user942937

      727




      727






















          1 Answer
          1






          active

          oldest

          votes


















          4














          If you are using public key authentication for SSH, no one can log in to the server without having the corresponding private key. This is as secure, and usually more secure, than password authentication. The encryption OpenSSH provides is state of the art; there is no known way to break it. You can further improve security on the Tor side by using authorized hidden services. This will make the domain inaccessible to all but your client. Note that this only works with v2 hidden services, not the latest v3.



          The only remaining attack would be a man-in-the-middle attack. You can copy over the host key from the server to your client, just like you copied a key to make public key authentication possible. This will completely mitigate man-in-the-middle attacks and the client will warn you if an attempt is detected.



          See also What is the difference between authorized_keys and known_hosts file for SSH?






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "162"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200792%2fis-ssh-without-a-password-secure-enough%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            4














            If you are using public key authentication for SSH, no one can log in to the server without having the corresponding private key. This is as secure, and usually more secure, than password authentication. The encryption OpenSSH provides is state of the art; there is no known way to break it. You can further improve security on the Tor side by using authorized hidden services. This will make the domain inaccessible to all but your client. Note that this only works with v2 hidden services, not the latest v3.



            The only remaining attack would be a man-in-the-middle attack. You can copy over the host key from the server to your client, just like you copied a key to make public key authentication possible. This will completely mitigate man-in-the-middle attacks and the client will warn you if an attempt is detected.



            See also What is the difference between authorized_keys and known_hosts file for SSH?






            share|improve this answer




























              4














              If you are using public key authentication for SSH, no one can log in to the server without having the corresponding private key. This is as secure, and usually more secure, than password authentication. The encryption OpenSSH provides is state of the art; there is no known way to break it. You can further improve security on the Tor side by using authorized hidden services. This will make the domain inaccessible to all but your client. Note that this only works with v2 hidden services, not the latest v3.



              The only remaining attack would be a man-in-the-middle attack. You can copy over the host key from the server to your client, just like you copied a key to make public key authentication possible. This will completely mitigate man-in-the-middle attacks and the client will warn you if an attempt is detected.



              See also What is the difference between authorized_keys and known_hosts file for SSH?






              share|improve this answer


























                4












                4








                4






                If you are using public key authentication for SSH, no one can log in to the server without having the corresponding private key. This is as secure, and usually more secure, than password authentication. The encryption OpenSSH provides is state of the art; there is no known way to break it. You can further improve security on the Tor side by using authorized hidden services. This will make the domain inaccessible to all but your client. Note that this only works with v2 hidden services, not the latest v3.



                The only remaining attack would be a man-in-the-middle attack. You can copy over the host key from the server to your client, just like you copied a key to make public key authentication possible. This will completely mitigate man-in-the-middle attacks and the client will warn you if an attempt is detected.



                See also What is the difference between authorized_keys and known_hosts file for SSH?






                share|improve this answer














                If you are using public key authentication for SSH, no one can log in to the server without having the corresponding private key. This is as secure, and usually more secure, than password authentication. The encryption OpenSSH provides is state of the art; there is no known way to break it. You can further improve security on the Tor side by using authorized hidden services. This will make the domain inaccessible to all but your client. Note that this only works with v2 hidden services, not the latest v3.



                The only remaining attack would be a man-in-the-middle attack. You can copy over the host key from the server to your client, just like you copied a key to make public key authentication possible. This will completely mitigate man-in-the-middle attacks and the client will warn you if an attempt is detected.



                See also What is the difference between authorized_keys and known_hosts file for SSH?







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited 29 mins ago

























                answered 49 mins ago









                forest

                32.5k15104110




                32.5k15104110






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Information Security Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200792%2fis-ssh-without-a-password-secure-enough%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Eastern Orthodox Church

                    Image
                    Not to be confused with Oriental Orthodoxy, Eastern Christianity, or Eastern Catholic Churches. "Eastern Orthodoxy", "Orthodox Church", "Orthodox Catholic Church", and "Orthodox Christian Church" redirect here. For other uses, see Orthodox (disambiguation). This article may be too long to read and navigate comfortably . The readable prose size is 132 kilobytes. Please consider splitting content into sub-articles, condensing it, or adding or removing subheadings. ( January 2018 ) Part of a series on the Eastern Orthodox Church Mosaic of Christ Pantocrator, Hagia Sophia Overview Structure Theology (History of theology) Liturgy Church history Holy Mysteries View of salvation View of Mary View of icons Background Crucifixion / Resurrection / Ascension of Jesus Christianity Christian Church Apostolic succession Four Marks of the Church Orthodoxy Organization Autocephaly Patriarchate ...
                    Read more

                    Zagreb

                    Image
                    This article is about the Croatian capital city. For other uses, see Zagreb (disambiguation). City in City of Zagreb, Croatia Zagreb City Grad Zagreb City of Zagreb Clockwise, from top: St. Mark's Square, Croatian State Archives, Zagreb Tram, Art Pavilion, Cibona & HOTO towers and Croatian National Theatre. Flag Coat of arms Zagreb Location of Zagreb in Croatia Show map of Croatia Zagreb Zagreb (Europe) Show map of Europe Coordinates: 45°49′N 15°59′E  /  45.817°N 15.983°E  / 45.817; 15.983 Coordinates: 45°49′N 15°59′E  /  45.817°N 15.983°E  / 45.817; 15.983 Country   Croatia County City of Zagreb RC diocese 1094 Free royal city 1242 Unified 1850 Subdivisions 17 city districts 218 local committees (70 settlements) Government  • Type Mayor-Council  • Mayor Milan Bandić (BM 365)  • City Assembly 51 members BM 365, ZL, NS-R (14) SDP, GLAS, HNS, HSS, NH-PS (13) ...
                    Read more

                    Understanding the information contained in the Deep Space Network XML data?

                    Image
                    up vote 1 down vote favorite NASA's Deep Space Network activity can be viewed conveniently at https://eyes.nasa.gov/dsn/dsn.html but if you would like data in a more raw XML form, it can be accessed as described in this answer Below is a small Python script that reads the XML into a list of dictionaries, and saves it to disk as a JSON. The dictionaries are organized at the higher level by dish, then by spacecraft per dish. Question: What are the most-likely meanings of all the data field contained in the Deep Space Network XML data? This is the example url from the other answer, used in the script below: https://eyes.nasa.gov/dsn/data/1365107113.xml def dictify(r,root=True): # https://stackoverflow.com/questions/2148119/how-to-convert-an-xml-string-to-a-dictionary-in-python/30923963#30923963 if root: ret...
                    Read more