[opensuse] How to make dolphin save sftp password?
Hi, here on OS 15.1 I often use dolphin to connect via sftp to my servers. It asks me for the password, and then it remembers it until I log out of my local KDE or reboot the local machine. There is no check-box "remember password" or similar in the password dialog, only the field to enter it. I would like to have it saved in KWallet, and this is installed and running, but empty... What can I do? -- Daniel Bauer photographer Basel Málaga https://www.patreon.com/danielbauer https://www.daniel-bauer.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Daniel Bauer <linux@daniel-bauer.com> [10-09-20 09:02]:
Hi,
here on OS 15.1 I often use dolphin to connect via sftp to my servers. It asks me for the password, and then it remembers it until I log out of my local KDE or reboot the local machine.
There is no check-box "remember password" or similar in the password dialog, only the field to enter it.
I would like to have it saved in KWallet, and this is installed and running, but empty...
What can I do?
perhaps easier to solve by using ssh-keygen ssh-copy-id -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/10/2020 15.51, Patrick Shanahan wrote:
* Daniel Bauer <linux@daniel-bauer.com> [10-09-20 09:02]:
Hi,
here on OS 15.1 I often use dolphin to connect via sftp to my servers. It asks me for the password, and then it remembers it until I log out of my local KDE or reboot the local machine.
There is no check-box "remember password" or similar in the password dialog, only the field to enter it.
I would like to have it saved in KWallet, and this is installed and running, but empty...
What can I do?
perhaps easier to solve by using ssh-keygen ssh-copy-id
Still kwallet should store the passphrase. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
Am 09.10.20 um 15:51 schrieb Patrick Shanahan:
* Daniel Bauer <linux@daniel-bauer.com> [10-09-20 09:02]:
Hi,
here on OS 15.1 I often use dolphin to connect via sftp to my servers. It asks me for the password, and then it remembers it until I log out of my local KDE or reboot the local machine.
There is no check-box "remember password" or similar in the password dialog, only the field to enter it.
I would like to have it saved in KWallet, and this is installed and running, but empty...
What can I do?
perhaps easier to solve by using ssh-keygen ssh-copy-id
Hm. So I was reading a bit about keygen. At first it seems easy, but actually I don't really understand it :-) So please excuse my stupid questions: I guess, I'd have to do the following on my local machine: --- ssh-keygen -f ~/mypath/myfilename -t rsa -b 4096 (or better ssh-keygen -f ~/mypath/myfilename -t ecdsa -b 521 ?) ssh-copy-id -i ~/mypath/myfilename MyUserName@MyServer --- and that's all? In future I can open dolphin and go to sftp://MyUserName@MyServer and will not be asked for a password anymore? It just connects? (And what happens when I go to the cosole and type ssh MyUserName@MyServer ?) if so: As I have several servers, can I now just do ssh-copy-id -i ~/mypath/myfilename MyOtherUserName@MyOtherServer ? Or do I have to do ssh-keygen, ssh-copy-id with a new passphrase for the other servers? Finally: - what do I do with the displayed key fingerprint? What is it for? - what is the key's randomart image for? Really finally: on another machine (my laptop) I will have to the complete to do ssh-keygen, ssh-copy-id, but could use the same passphrase, I guess? Or can I simply copy the ~/mypath/myfilename to the other machine? Thanks for your help! Daniel -- Daniel Bauer photographer Basel Málaga https://www.patreon.com/danielbauer https://www.daniel-bauer.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Daniel Bauer wrote:
Hm. So I was reading a bit about keygen. At first it seems easy, but actually I don't really understand it :-) So please excuse my stupid questions:
I guess, I'd have to do the following on my local machine: --- ssh-keygen -f ~/mypath/myfilename -t rsa -b 4096 (or better ssh-keygen -f ~/mypath/myfilename -t ecdsa -b 521 ?)
For your purposes, it doesn't really matter. rsa is the defacto standard, but is theorically breakable - ecdsa is likely to be the next "standard" algorithm. ed25519 is faster than both of those.
ssh-copy-id -i ~/mypath/myfilename MyUserName@MyServer ---
and that's all?
You will perhaps want to disable password logins on the target machine, that is up to you.
In future I can open dolphin and go to sftp://MyUserName@MyServer and will not be asked for a password anymore? It just connects? (And what happens when I go to the cosole and type ssh MyUserName@MyServer ?)
Both of them work, without having to enter a password.
if so: As I have several servers, can I now just do
ssh-copy-id -i ~/mypath/myfilename MyOtherUserName@MyOtherServer
?
Correct.
Really finally: on another machine (my laptop) I will have to the complete to do ssh-keygen, ssh-copy-id, but could use the same passphrase, I guess? Or can I simply copy the ~/mypath/myfilename to the other machine?
Just copy to that other machine, yes. -- Per Jessen, Zürich (11.1°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/10/2020 12.17, Daniel Bauer wrote:
Am 09.10.20 um 15:51 schrieb Patrick Shanahan:
* Daniel Bauer <> [10-09-20 09:02]:
Hi,
here on OS 15.1 I often use dolphin to connect via sftp to my servers. It asks me for the password, and then it remembers it until I log out of my local KDE or reboot the local machine.
There is no check-box "remember password" or similar in the password dialog, only the field to enter it.
I would like to have it saved in KWallet, and this is installed and running, but empty...
What can I do?
perhaps easier to solve by using ssh-keygen ssh-copy-id
Hm. So I was reading a bit about keygen. At first it seems easy, but actually I don't really understand it :-) So please excuse my stupid questions:
I guess, I'd have to do the following on my local machine: --- ssh-keygen -f ~/mypath/myfilename -t rsa -b 4096 (or better ssh-keygen -f ~/mypath/myfilename -t ecdsa -b 521 ?)
ssh-copy-id -i ~/mypath/myfilename MyUserName@MyServer ---
I do: cd {HOME}/.ssh/ ssh-keygen cp id_rsa.pub id_rsa_this_machine.pub cp id_rsa id_rsa_this_machine ssh-copy-id -i id_rsa_this_machine.pub remotemachinename (last command writes the appropriate line on remote machine {HOME}/.ssh/authorized_keys file) That's basically all. Notice that I do set up a passphrase when running ssh-keygen. A strong one. This password is cached by the desktop keyword/keyphrase agent, which can be for ever, for the session, for a limited time... Some people set the pasphrase to nothing, but notice that in that case a /visitor/ to your home can access the remote machine without knowing any password by just typing ssh at your machine. A person that gains access to your machine immediately also gains access to every machine that you have the credentials for. As I have several key files, I also edit ~/.ssh/config on local machine: Host eleanor.valinor IdentityFile /home/cer/.ssh/eleanor Port 1234 So that I only need to do "ssh eleanor.valinor" to use the appropriate settings for that remote access.
and that's all? In future I can open dolphin and go to sftp://MyUserName@MyServer and will not be asked for a password anymore? It just connects? (And what happens when I go to the cosole and type ssh MyUserName@MyServer ?)
Actually, I test first with ssh on terminal to see possible errors. When it is working, then I try other things like sftp.
if so: As I have several servers, can I now just do
ssh-copy-id -i ~/mypath/myfilename MyOtherUserName@MyOtherServer
? Or do I have to do ssh-keygen, ssh-copy-id with a new passphrase for the other servers?
You can do either.
Finally: - what do I do with the displayed key fingerprint? What is it for? - what is the key's randomart image for?
I save them. For verification. But I never used them.
Really finally: on another machine (my laptop) I will have to the complete to do ssh-keygen, ssh-copy-id, but could use the same passphrase, I guess? Or can I simply copy the ~/mypath/myfilename to the other machine?
On every client machine I repeat the procedure. The key identifies a user and client machine, but can do so on several servers. IMHO. Maybe I'm more paranoid than Per ;-) -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
Carlos E. R. wrote:
Notice that I do set up a passphrase when running ssh-keygen. A strong one. This password is cached by the desktop keyword/keyphrase agent, which can be for ever, for the session, for a limited time...
Some people set the pasphrase to nothing, but notice that in that case a /visitor/ to your home can access the remote machine without knowing any password by just typing ssh at your machine. A person that gains access to your machine immediately also gains access to every machine that you have the credentials for.
Perhaps it is worth stressing - s/gains access to your machine/gains access to your user on your machine/ -- Per Jessen, Zürich (10.4°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/10/2020 13.52, Per Jessen wrote:
Carlos E. R. wrote:
Notice that I do set up a passphrase when running ssh-keygen. A strong one. This password is cached by the desktop keyword/keyphrase agent, which can be for ever, for the session, for a limited time...
Some people set the pasphrase to nothing, but notice that in that case a /visitor/ to your home can access the remote machine without knowing any password by just typing ssh at your machine. A person that gains access to your machine immediately also gains access to every machine that you have the credentials for.
Perhaps it is worth stressing -
s/gains access to your machine/gains access to your user on your machine/
No, also on any other remote machine to which you have setup ssh key-pair access without passphrase. Once they gain access to my "local" machine somehow as my user, they can do "ssh remotemachine" and they are in to that other machine as well, posing as me. Setting up passphrases halts this danger till they also find my passphrase or another hole. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
Am 11.10.20 um 13:59 schrieb Carlos E. R.:
On 11/10/2020 13.52, Per Jessen wrote:
Carlos E. R. wrote:
Notice that I do set up a passphrase when running ssh-keygen. A strong one. This password is cached by the desktop keyword/keyphrase agent, which can be for ever, for the session, for a limited time...
Some people set the pasphrase to nothing, but notice that in that case a /visitor/ to your home can access the remote machine without knowing any password by just typing ssh at your machine. A person that gains access to your machine immediately also gains access to every machine that you have the credentials for.
Perhaps it is worth stressing -
s/gains access to your machine/gains access to your user on your machine/
No, also on any other remote machine to which you have setup ssh key-pair access without passphrase.
Once they gain access to my "local" machine somehow as my user, they can do "ssh remotemachine" and they are in to that other machine as well, posing as me.
Setting up passphrases halts this danger till they also find my passphrase or another hole.
Please explain: if you have to enter a passphrase, what is the difference or the advantage of using keygen over using simply the password on connect? My "problem" is exactly that I have to enter a password that I have to remember somehow. I wanted to solve this with saving it in kwallet (without password for kwallet). Then, of course, also anybody having access to my machine would have access to whatever is saved in kwallet, so again, no difference to keygen. -- Daniel Bauer photographer Basel Málaga https://www.patreon.com/danielbauer https://www.daniel-bauer.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
11.10.2020 15:33, Daniel Bauer пишет:
if you have to enter a passphrase, what is the difference or the advantage of using keygen over using simply the password on connect?
a) password is not transmitted over network b) as key belongs to you, it provides non-repudiate audit trail that it was *you* who accessed the system c) it is easier to disable access *for a single person* by just removing key of this person without going through changing and distributing new password to everybody (doinf it securely is not trivial task by itself) d) it is possible to associate single command with key, which allows you to execute single well define command remotely
My "problem" is exactly that I have to enter a password that I have to remember somehow. I wanted to solve this with saving it in kwallet (without password for kwallet). Then, of course, also anybody having access to my machine would have access to whatever is saved in kwallet, so again, no difference to keygen.
ssh supports smartcards (secure tokens), some of them support generating key pairs internally so private key never leaves smartcard and cannot be compromised. You obviously need to unlock it, but you also need to log into your system as well, so there is no way around it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/10/2020 14.33, Daniel Bauer wrote:
Am 11.10.20 um 13:59 schrieb Carlos E. R.:
On 11/10/2020 13.52, Per Jessen wrote:
Please explain:
if you have to enter a passphrase, what is the difference or the advantage of using keygen over using simply the password on connect?
IMO, that kwallet should be able to remember this passphrase for you. Maybe it is capable of remembering the passphrase of the keypair, but not the password of ssh. Under XFCE it works. You should check the settings of KWallet. I see in my machine that I have running: /usr/bin/ssh-agent /usr/bin/gpg-agent /usr/lib/polkit-gnome-authentication-agent-1 Alternatively, you can define an empty passphrase, if your situation makes this safe. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
Carlos E. R. wrote:
On 11/10/2020 13.52, Per Jessen wrote:
Carlos E. R. wrote:
Notice that I do set up a passphrase when running ssh-keygen. A strong one. This password is cached by the desktop keyword/keyphrase agent, which can be for ever, for the session, for a limited time...
Some people set the pasphrase to nothing, but notice that in that case a /visitor/ to your home can access the remote machine without knowing any password by just typing ssh at your machine. A person that gains access to your machine immediately also gains access to every machine that you have the credentials for.
Perhaps it is worth stressing -
s/gains access to your machine/gains access to your user on your machine/
No, also on any other remote machine to which you have setup ssh key-pair access without passphrase.
I meant - it is not enough to have access to your machine, you also need access to your user id. Or root, as Andrei pointed out. -- Per Jessen, Zürich (10.6°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/10/2020 16.24, Per Jessen wrote:
Carlos E. R. wrote:
On 11/10/2020 13.52, Per Jessen wrote:
Carlos E. R. wrote:
Notice that I do set up a passphrase when running ssh-keygen. A strong one. This password is cached by the desktop keyword/keyphrase agent, which can be for ever, for the session, for a limited time...
Some people set the pasphrase to nothing, but notice that in that case a /visitor/ to your home can access the remote machine without knowing any password by just typing ssh at your machine. A person that gains access to your machine immediately also gains access to every machine that you have the credentials for.
Perhaps it is worth stressing -
s/gains access to your machine/gains access to your user on your machine/
No, also on any other remote machine to which you have setup ssh key-pair access without passphrase.
I meant - it is not enough to have access to your machine, you also need access to your user id. Or root, as Andrei pointed out.
Yes, like a said, a visitor happening to see your open terminal at home can also ssh to the remote computer without a password. Or a remote hacker that somehow manages to get inside your machine. If the machine thinks it is you, it will give you automatically access to any other machine to which you have created password-less ssh access, obviously as you. Maybe this time I managed to explain myself? :-) -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
11.10.2020 14:52, Per Jessen пишет:
Carlos E. R. wrote:
Notice that I do set up a passphrase when running ssh-keygen. A strong one. This password is cached by the desktop keyword/keyphrase agent, which can be for ever, for the session, for a limited time...
Some people set the pasphrase to nothing, but notice that in that case a /visitor/ to your home can access the remote machine without knowing any password by just typing ssh at your machine. A person that gains access to your machine immediately also gains access to every machine that you have the credentials for.
Perhaps it is worth stressing -
s/gains access to your machine/gains access to your user on your machine/
or root -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Daniel Bauer wrote:
Hi,
here on OS 15.1 I often use dolphin to connect via sftp to my servers. It asks me for the password, and then it remembers it until I log out of my local KDE or reboot the local machine.
There is no check-box "remember password" or similar in the password dialog, only the field to enter it.
I would like to have it saved in KWallet, and this is installed and running, but empty...
What can I do?
Set up key-based ssh authentication. That is also what Patrick suggested, he was being very concise :-) It isn't difficult, I'll be happy to help. -- Per Jessen, Zürich (15.2°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Andrei Borzenkov -
Carlos E. R. -
Daniel Bauer -
Patrick Shanahan -
Per Jessen