Shell in a Browser

Encryption and Certificates

Although initial experiments with Shell In A Box on your local machine can do without encryption, you will definitely want to use SSL to safeguard your connections in production. You need a certificate for this, either in the current working directory or at a storage location you specify using the --cert=directory option.

Encrypting passwords and data between the sender and receiver keeps data safe against sniffing by unauthorized third parties. To add this level of security, you need a certificate, like those used by many websites (and mail servers) – people don’t typically notice them until the browser reports a certificate issue. The idea is that the certificates ensure that the server at the other end of the connection really is what it tells the client it is; otherwise, an attacker could simply spoof the authorized entity at the other end of the connection.

Certificates are issued by commercial certification authorities: They verify the identity of the certificate owner and then issue a certificate for a hostname. The browser automatically identifies the certificate as genuine: It trusts specific certificate authorities. CAcert is a community-based alternative solution.

Finally, another option is to create self-signed certificates with OpenSSL.

Create a key:

# openssl genrsa -des3 -out server.key 1024

Create a certificate signing request (CSR):

# openssl req -new -key server.key -out server.csr

Remove the password from the key:

# cp server.key server.key.org
# openssl rsa -in server.key.org -out server.key

Sign the CSR and create the certificate:

# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
# cat server.crt server.key > certificate.pem

If you use a self-signed certificate (Figure 3) and access services secured in this way from other machines across the Internet, you should definitely take a close look at the certificate and compare the matching MD5/​SHA1 fingerprints.

Figure 3: A self-signed certificate in a web browser.

The Author

Wolfgang Dautermann is a system administrator who has tamed many flavors of Linux and various Unices, including Solaris, Irix, and Tru64. He is a co-organizer of Linux Days in Graz, Austria, which next convenes April 28 for its 10th annual meeting [http://www.linuxtage.at] (in German).

Related content

  • Remotely managing web access servers
    The Windows PowerShell web-based console lets you run PowerShell commands and scripts in your browser.
  • The best cmdlets for PowerShell
    Windows is no longer the system for mouse pushers. In the latest server version, the default installation installs without a GUI, and management via PowerShell is a part of everyday life for Windows administrators.
  • Top PowerShell Cmdlets

    Windows is no longer the system for mouse pushers. In the latest server version, the default installation installs without a GUI, and management via PowerShell is a part of everyday life for Windows administrators.

  • Security first with the Hiawatha web server
    The small but secure Hiawatha web server provides an appealing alternative to the complex Apache and other alternatives.
  • Automate the Active Directory Federation Services install
    Installing Active Directory Federation Services is complex and involves several GUIs. For admins entrusted with building a farm, repetitive clicking in various management consoles can become an annoying and error-prone process. The call for automation is loud.
comments powered by Disqus