2

I am writing a simple flask application to submit scientific tasks to remote HPC resources. My application in background talks to remote machines via SSH (because it is widely available on various HPC resources). To be able to maintain this connection in background I need either to use the user's ssh keys on the running machine (when user's have passwordless ssh access to the remote machine) or I have to store user's credentials for the remote machines.

I am not sure which path I have to take, should I store remote machine's username/password or should I store user's SSH key pair in database?

I want to know what is the correct and safe way to connect to remote servers in background in context of a web application.

mehdix
  • 221
  • 2
  • 7

1 Answers1

1

SSH keys are usually better than passwords because:

  • You can configure a different key for different scenarios, e.g. for different client machines or different applications. If one becomes compromised, you can remove that key from the server but clients using the other key will continue functioning normally. With a password, you only have one, so you can't change it for some clients without forcing others to change as well.
  • Keys of reasonable length are much harder to crack than passwords.
  • People may write down their passwords on a post-it note and put it at risk of being seen by someone else. Keys are so long nobody will print them out.
Michał Kosmulski
  • 3,474
  • 19
  • 18
  • 1
    Depending on the exactly how your application works, you may want to preload the keys with `ssh-agent` to move some of the responsibility out of your process. – o11c Aug 26 '14 at 06:14
  • Thank you @Michal, I am convinced that SSH keys are better but I still need to know how to store them safely. My users have their own account on remote machines and my server acts like a bridge in between. – mehdix Aug 26 '14 at 09:51