Psychotomy

i swear, i’m gonna make a new cat for security shit.  or programming shit.  or both, but they’d overlap a lot.  of course they overlap work most times, too.  go figure

anyway.  mysql5 (maybe 4) added the option for SSL Client Certificates to authenticate a user, instead of using passwords.  This is handy, if, for instance, you want to be able to log into a shitload of different databases without having to use a shitload of different passwords.  b/c using the same password a bunch of times would be bad.  except when it’s not (don’t get me started on security here; that’ll be another day i’m sure)

ssh uses keys.  which are generated from certs, in a way.  or are a part of a cert.  something like that.  definitely something.  the first s is the same in both.  and ssh uses a modified ssl (secure socket layer; just means the communication is encrypted, honestly; secure shell, means the shell itself is just a fucking shell.  the communication is encrypted however; go figure).  but ssh credentials are called “keys” and are, AFAICT, different from ssl “certs” (or certificates).  and ssh clients tend to have bundled an app called a “key agent” which monitors what keys you have, and then just presents the fuckers to the server when it asks, so it can say “oh, ok, yeah.  that guy, sure come in”.

which is what an SSL Client Cert would do for a mysql system.  (SSL usually refers to the server end.  HTTPS, server has a cert and gives it to the user saying “see, i’m me!  here’s my papers!”; client certs are the other direction.  you’ve verified the server (or you don’t give a shit) and now you’re presenting your papers “Ja.  I veesh to kom een.” and then the server says “ah, friedreich!” or throws you out a window onto a pile of luggage and says “no papers” to the other clients trying to connect so they all fish out their certs and wave them in the air)

so, my current (self proferred) task at work?  i’m trying to find a way to use ssh keys (which we all have if we want to log into anything more than our desktop and we forward around with ssh-key-agent and the ssh client/server encrypted secure communications SOCKET LAYER) to let me into mysql servers.  either turning a key into a cert (if there really is a difference (and i’m sure there is, lathough it may just be the cruft that a cert has that a key doesn’t worry about)), pulling a cert from a key (which i don’t think is possible, since certs have more (See preveious par-unethical comment)), or agenting a certificate (preferably t hrough the ssh-key-agent, which wouldn’t make any sense, or through some other agent that can piggyback into the ssh channel (uh, hello, encrypted?) and forward around the cert)

b/c, see, the private cert (ie passport) stays on you at all times.  you can’t just stick it on the server and figure you can just grab it when you need it.  b/c then when someone else breaks into your locker, they’re you.  i mean, they need a password, but those are relatively meaningless, b/c most people tend to use their birthday (july01) or their mother’s maiden name (jones) or something equally stupid.  coupled with the fact that they’ll tell anyone who asks what it is or how to guess it.  people are idiots.

i wonder if a cert, encrypted with a key, is secure … b/c then the key is the one you’re forwarding all over. .. except you don’t actually forward the key, rather you forward some fingerprint of the key or something.  b/c forwrding the key around is STUPID since the whole point is to keep it secure and close …

Posted in: work by attriel /