nirui
Disable local storage (Known hosts) - security problem, private key stored in clear in local storage on browser
It is possible to disable local storage usage with env vars ? The sshwifty-knowns key in local storage on browser store also private key. Anyone can access to sshwifty web even if not logged in, can view all private keys.
Greetings,
Sshwifty should not save private keys or password to sshwifty-knowns unless they were delivered through Presets. If you find it don't work like that, then probably it's a bug.
Can you share the exact steps that lead to the password being saved?
Also while we at it, it is not recommended to add things you want to kept secret in Presets as all Presets are send to client in clear-text out the open (as described under: https://github.com/nirui/sshwifty/blob/01e3e595aef1251084646ccec9805a6450d7d48e/README.md#configuration-file-option-and-descriptions)
Also while we at it, it is not recommended to add things you want to kept secret in Presets as all Presets are send to client in clear-text out the open (as described under: https://github.com/nirui/sshwifty/blob/01e3e595aef1251084646ccec9805a6450d7d48e/README.md#configuration-file-option-and-descriptions)
Are there any plans to change that? I'd like to use sshwifty as a guacamole alternative and declare available connections while deploying.
Now presets seem an obvious choice here, but the fact the private key gets stored in local storage keeps me from using them. On the other hand, when not using presets, i don't really have a way to preconfigure the known connections to my hosts and would have to enter them every time again. Sometimes the latter wouldn't be even possible because i might not have access to my private SSH key when i'm on some other machine and quickly want to connect to my server.
Hi @Tarow,
Now presets seem an obvious choice here, but the fact the private key gets stored in local storage keeps me from using them. On the other hand, when not using presets, i don't really have a way to preconfigure the known connections to my hosts and would have to enter them every time again. Sometimes the latter wouldn't be even possible because i might not have access to my private SSH key when i'm on some other machine and quickly want to connect to my server.
Sorry for the confusion there.
Private keys and password are only stored in local storage if and only if a preset defines it. In such case, the secret information will be stored as part of the connection history (Connected Before list).
It is possible to leave the preset field Private Key and Password undefined/empty so the user has to enter them, and if so, then the Private Key or Password will never be stored, just like if the user was connecting through the connection wizard manually.
Sshwifty don't really work like Guacamole, the connection parameter is always configured by the client for each and every connection. That's why some information must be send to client in order for it to establish the connection. Maybe this could be resolved by letting the server handle part of the procedure, but that require some not-trivial rework of the software.
Probably on the same direction as this, would it be possible to use existent ./ssh/config configuration in host?
Hi @alejakun,
Probably on the same direction as this, would it be possible to use existent ./ssh/config configuration in host?
Given how Sshwifty server and client handles preset, it might be a problem if we let Sshwifty handle ~/.ssh/config directly, since the file might contain secrets that is actively in use. Can't really encourage that unless Sshwifty handles preset differently (i.e. on server only and no info will be send to client).
I think I see the rationale behind that, though I also think it would be a nice option to have, since I believe once you have several ssh connections the ~/.ssh/config, is a very standard way to manage them.
Anyways, I love the application BTW, lately I was looking for something of the sort and all other options I found are way too complicated or don't play well with my environment (Raspberry Pi), just wish there would be an easy way to import all my current configuration and what's maybe more difficult, keep it up to date.