Public Keys and Security

The distribution layer in 3FCS is based on secure shell (SSH), which is a network protocol that allows data to be exchanged over a secure channel between two computers. SSH uses public-key cryptography to authenticate the remote computer, e.g., the RSA algorithm. The public key can be used to encrypt a message, and only the holder of the private key can decrypt it. RSA can be used to perform secure authentication, without needing to transmit any confidential information over the internet / network.

In practise, ssh-keygen is used on a computer, A, to generate a public key and the corresponding private (secret) key. The public key is then copied from A to another computer, B. On B, the public key is added to the file ~/.ssh/authorized_keys in the home directory of user bobby@B. The user of A, who has access to the private key, can now log in to computer B with ssh -i ~/.ssh/private_key bobby@B. If the private key is stolen from A, the account bobby@B, and potentially also the computer B are vulnerable, as the thief may use the private key to access bobbys account on B. The private key is therefore encrypted, such that a secret passphrase is needed to use it.

3FCS uses the RSA authentication protocol and forced-command keys. A forced-command key is an ordinary public key that has an associated command that is to be executed when somebody with the corresponding private key logs in. In other words, the command that is specified in the forced-command key is the only command that anybody with access to the private key can execute. You have control over the keys in your ~/.ssh/authorized_keys file. Consequently, you may change or remove the forced-command keys at any time. When the key is removed, the matching private key can no longer be used to execute that command on your system.

In the event that somebody would manage to steal a 3FCS private key and some addresses of computers that have matching public keys, that person would be able to start 3FCS drivers on those computers. However, the drivers have simple user interfaces (KISS principle) and are designed not to be of any danger to your system even if a person with malicious intents would gain access to it (no shell escapes, no execution of system commands, all input except pre-defined commands and floating point numbers is ignored).

In addition to this precaution, the private keys are separated from the web server. 3FCS has a client-server architecture and the web server uses the 3FCS client interface to submit jobs and receive results. The 3FCS servers are the only processes that have access to the private keys, and these have nothing to do with the web server.

The forced-command public keys are available here.