For a long time I've been using a very simple setup on Windows to manage Linux servers: just plain old putty, pageant, winscp and the like. With the recent implementation and advances on WSL, I felt it was time to test using WSL to have a better environment, and it has been a very good experience so far.
As this setup required a few tinkering around to get everything into place, I'll be writing up a few of the thoughts and tricks I've gathered along the way. For start, let's talk a little about something which caught me by surprise: the native Windows' OpenSSH ssh-agent key handling.
The first piece of our small puzzle to make a Windows station a good administration platform for Linux servers is to have ssh connection to those servers. Windows terminal is a good start, being a tabbed multi-terminal with support for cmd, powershell and WSL.
After that, it was a very interesting to discover there's a native port of OpenSSH for Windows available. At first sight, this could be an interesting tool to get this level of access without even needing to use WSL. But there's a catch...
To use ssh, you'll be willing to load your ssh key over an agent so you don't have to type your super-secret-long-passphrase every time, having it work automagically during your work session. The concept around ssh-agent is that your decryptographed key will stay in memory, never touching disk / permanent storage, and as such will be securely erased when you unload it and/or power down (assuming no one is going to do some crazy ninja cold RAM data extraction to get your ssh-key).
By the other hand, Windows' openssh port just disregarded the whole concept and instead permanently store your ssh key on Windows Registry, which in turn get persisted on disk itself. While it seems to be cryptographed over some kind of user-context security, it didn't really strike me as particularly safe, and there's some article somewhere explaining how it could be recovered by someone with access and how it would be very hard to get it fully out of disk once it gets there.
While I didn't dig much deeper in this, what I saw was enough to convince me to stay away from windows' openssh - there certainly seems to be some risk, and wsl + ubuntu ssh works perfectly fine for my needs.
No comments:
Post a Comment