Skip to content

Category: Security

SSH Login without Password

Have you copied your public key to your remote ~/.ssh/authorized_keys file and are still being prompted for your password? There’s a good change that the permissions are wrong on that file. If you look at the ssh logs, you can see entries like this:

$ sudo tail /var/log/secure
Jun  5 17:27:16 server sshd[12001]: Authentication refused: bad ownership or modes for file /home/sean/.ssh/authorized_keys

Change the permissions mode to 600 and you should be able to login as intended.

Dealing with Passwords the Right Way

At some point in time, every web developer is going to have to deal with user’s logging into their application. This means storing the user’s username and password in a database, right? Wrong. There is absolutely no need to store a password. Ever. End of story.

So how do we verify that the user has entered the correct password? It’s actually very simple. Instead of storing the user’s password, one should store the SHA-2 or MD5 hash of their password. Hashes are a form of one-way encryption that produce unique output for different inputs. That is, “Red123” would produce a different hash than “red123”, or even “R ed123”. By comparing the hashes, you can ensure that your user is entering the right password, while protecting their password in the case that your database is stolen.

In PHP, these hashes are really easy to produce. For MD5, its as simple as:

$hash = md5($input);

For SHA-2 (technically SHA-256), there’s a little more typing, but not much.

$hash = hash("sha256", $input);

Using $hash in your SELECT and INSERT SQL statements, instead of $input, will secure your data and keep users happy.

Plus its just good form.

Cryptography Presentation

Tomorrow, I am giving a presentation on cryptography. It’s not particularly in depth, but covers a lot of topics. The slides and my notes will be available tomorrow afternoon, if not sooner.