Nope! SSH Key will not do the trick here. IF the php file is
compromised or someone has access to it (from the terminal), then both
SSH public and Private is also compromised. Anyone having access to
your private and public key can easily install those on a system and
have access to the target system. When you do SSH Key authentication
between two machines (at the bash level) etc., normally a challenge
phrase is not included, otherwise you get asked for the challenge phrase
every connection. Yes, you can write a script to transmit that
challenge key as well - but that defeats the purpose as you would need
to hard code or keep in a separate file a copy of the challenge
response. And that goes back to the primary question and concern if
files are compromised. Goes back to the chicken and egg dilemma.
On that note, even with SSH Keys and Pass Phrase challenge, as long as
anyone has access to both your pub and priv key, a brute force technique
only takes seconds to hours, to systematically fetch the pass phrase /
challenge response.
/*
Kind regards,
Reza.*/
--
*
*FOUNDER & SR. TELECOM ANALYST*
/VOIPERNETICS COMMUNICATIONS <http://www.voipernetics.com/>/*
NATION WIDE DIDS, SIP TRUNKS & VOIP 911.
PARTIAL / FULL VIRTUAL PRI - NO CONTRACTS!
HOSTED PBX & TERMINATION SERVICES.
TEL: 647-476-2067
Brian Chamberlain wrote the following on 9/17/2011 7:30 PM:
On 18 Sep 2011, at 00:22, Reza - Voipernetics wrote:
We've written some codes for a client that does call recording and archiving,
and within the application is hardcoded an alphanumeric ssh login and password.
We tried to encrypt and obfuscate our PHP codes using:
SourceGurdian
ionCube
and good old Zend encoder!
These obfuscations were reverse engineered and un-obfuscated online by free
apps such as dezender ionCube Decrypter and few other open source freely
available tools.
At this stage, because the login data is critically sensitive, I am willing to
go as far as installing some sort of encrypter that depends on installing an
Apache module - versus stand alone obfuscation techniques and software.
Any suggestions and advise is welcome.
Thank you.
SSH keys instead of auth?
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Brian Chamberlain
I.P. Telecom Limited
Unit 9a Plato Business Park
Blanchardstown
Dublin 15
Tel: +353 1 6877777
Mobile: +353 86 3883003
Email: [email protected]
http://www.iptel.co
http://www.iptelecom.ie
http://www.hostedpbx.ie
**** Please email [email protected] or [email protected] to ensure any
support query is dealt with quickly ****
