Is ssh with public key authentication, no passwords secure enough?

If you are using public key authentication for SSH, no one can log in to the server without having the corresponding private key. This is as secure, and usually more secure, than password authentication. The encryption OpenSSH provides is state of the art; there is no known way to break it. You can further improve security on the Tor side by using authorized hidden services. This will make the domain inaccessible to all but your client. Note that this only works with v2 hidden services, not the latest v3.

The only remaining attack would be a man-in-the-middle attack. You can copy over the host key from the server to your client, just like you copied a key to make public key authentication possible. This will completely mitigate man-in-the-middle attacks and the client will warn you if an attempt is detected.

See also What is the difference between authorized_keys and known_hosts file for SSH?


The existing answer written by forest details the security of the SSH/Tor side of things (quite secure if set up correctly), so I won't rehash that here.

I notice that you're asking mainly about client-side security ("can someone interfere with my browser?"), but I would say that server-side security ("can someone use my website/program without permission?") is also a quite important consideration when setting up a web-based program management interface.

There is potentially a very large risk to having a sensitive webpage open to the whole internet, so you really DO need to use some sort of security measure on the webserver side - it could be a Tor authorized hidden service, as forest describes, or some other method of securing the site against random hackers.

Hypothetical scenario: suppose that you had a webserver running on HTTP (as it's not clear if you're using Tor for hidden services or as a form of proxy software). Let's say you've got /index.php on there with a link to /my_program_interface.php, and for "safety's" sake, let's also put that on port 8080, with no domain name, but other than that, you allow it to accept connections from anyone. Well, if anyone ever finds out that you've got a webserver there (and with IPv4, a full network scan is feasible, so your webserver could be discovered), all they'd have to do is to type http://[your_ip_here]/index.php into a normal off-the-shelf browser, and then they have exactly as much control over your program as you do.

In other words: don't forget that that server-side authorization checks are important, along with client-side privacy checks!


It depends what you mean by secure enough.

Security does not exist without a threat model, as time-travelling, mind-reading gods can defeat any system you make.

If this is a simple utility, then the chances of someone burning a 0day for ssh on your sever is minimal, since there are simply better targets, and it wouldn't be worth the time and effort.

However, if you plan on running a system to co-ordinate a giant criminal empire behind the site, you should expect that a large intellegence agency can track the tor traffic back to you box, either by using an attack on the Tor network, or by simple rubber-hose cryptography:

relevant xkcd

However, even if your system is theoretically secure enough, there is the human element: you can never be 100% sure that you have set it up correctly, and so it may be trivial to hack.

A very important rule for security is to expect that your system will be broken at some point. A large part of the design of a secure system is making sure that when it is broken, it doesn't cause too much damage. To that end, I would suggest something like a docker image, so that you can easily scrub it if it does get broken into.

If the actual cryptography behind ssh was broken, you should be more worried about collecting canned goods, as an economic collapse would occur that would make the Great Depression look like the Slightly Sad, as any secure web traffic could be decrypted with a simple MitM (passwords, server certificates, bank details, etc.), and massive botnets of hacked servers would assault any and all internet-facing servers, effectively killing the information age, and turning the internet into a battleground.

Tags:

Ssh