使用与--require-authentication兼容的远程签名者进行烘焙？

Question

使用与--require-authentication兼容的远程签名者进行烘焙？

- 10
- 128 2019-02-16
对于客户端操作,使用带有--require-authentication的远程签名者需要手动输入客户端密钥的解密密码.

在任何地方都没有记录-这与烘焙不兼容吗?设置烘焙时,我没有意识到要解密客户端密钥的方法,并且我认为未绕过身份验证进行烘焙.

谢谢

For client ops, using a remote signer with --require-authentication requires manually entering the client key's decryption password.

It's not documented anywhere -- is this incompatible with baking? There's no way that I'm aware of to decrypt the client key when setting up baking and I assume authentication isn't bypassed for baking.

Thanks

baking

- 在alphanet上,它无需输入身份验证密钥的密码即可工作,但是在mainnet上,它要求在终端上输入密码,但是由于缺少任何终端来输入密码,因此失败.我也在寻找答案.
  
  On alphanet it works without entering the password for the authentication key, but in mainnet it ask for password on terminal, but due to absence of any terminal to enter the password it fails. I am also looking out for an answer to this.
  - 0
  - 2019-02-22
  - Sachin Tomar
- 尽管您可以通过不使用tezos-signer命令中的--require-authentication标志来绕过身份验证方法.即使绕过身份验证方法,也请确保使用防火墙限制对服务器和端口的访问.
  
  Although you can bypass the authentication method by not using --require-authentication flag in tezos-signer command. Make sure to restrict access to your server and port using firewall though if you bypass the authentication method.
  - 0
  - 2019-02-25
  - Sachin Tomar

3 个回答

投票数

- 3
- 2019-02-25
在tezos主网上,您无法以未加密形式生成密钥.因此,您必须输入密码才能解密密钥.

解决方案是导入未加密的密钥,然后用于对与远程签名者的任何通信进行身份验证. 我使用tezbox钱包生成未加密的密钥,然后使用以下命令复制私钥并导入到我的服务器.

./mainnet.sh client import secret key auth-alias unencrypted:edskxxxxxxxxxxxxxTnZR
On tezos mainnet, you cannot generate your key in unencrypted form. So you have to enter the password to decrypt the key.

Solution is to import an unencrypted key and then use is to authenticate any communication with remote-signer. I used tezbox wallet to generate unencrypted keys and then copy the private key and imported to my server using below command.

./mainnet.sh client import secret key auth-alias unencrypted:edskxxxxxxxxxxxxxTnZR
- 生成未加密的未加密私钥并将其复制到另一台服务器本质上是不安全的吗?
  
  isn't it intrinsically *unsafe* to generate an unencrypted unencrypted private keys and copy this around for another server ?
  - 0
  - 2019-02-25
  - Ezy
- 是的,如果您将此密钥用作烘焙密钥,这是不安全的.但是这里唯一的目的是用作身份验证密钥,但是在将私有密钥复制到服务器时显然需要采取预防措施.如果您不想复制私钥并且只想在服务器上生成私钥,则可以使用https://github.com/TezTech/eztz
  
  Yes it is unsafe if you are using this key as baking key. But here the only purpose for this is to be used as authentication key, but obviously precautions need to be taken while copying your private key to the server. If you don't want to copy the private key and want to generate the private key on the server only you can use https://github.com/TezTech/eztz
  - 0
  - 2019-02-25
  - Sachin Tomar
- 如何简单地使用分类帐?
  
  how abt simply using ledger ?
  - 1
  - 2019-02-25
  - Ezy
- 是的,使用分类帐是最安全的方式,但我对分类帐没有任何经验.任何有关此的文档将非常有帮助.
  
  Yes using ledger would be most secure way but i don't have any experience with ledger. Any documentation for this would be really helpful.
  - 0
  - 2019-02-25
  - Sachin Tomar
- 您可以在TSE上搜索此处,这里有可以帮助您入门的答案.例如:https://tezos.stackexchange.com/q/395/118和https://tezos.stackexchange.com/q/477/118.如果这还不够,请随时提出一个新问题！
  
  you can search here on TSE there are answers to get you started. Eg: https://tezos.stackexchange.com/q/395/118 and https://tezos.stackexchange.com/q/477/118 . If this is not sufficient then feel free to ask a new question!
  - 0
  - 2019-02-25
  - Ezy
- 绝对他不应该使用未加密的密钥-这是一个非常糟糕的主意.
  
  Definetly he shouldn't use unencrypted keys - that's a really terrible idea.
  - 1
  - 2019-02-25
  - moonrider_unchained
- 在可通过网络访问的计算机上拥有未加密的密钥可能是一个坏主意.
  
  It's probably a bad idea to have unencrypted keys on a network-accessible machine.
  - 0
  - 2019-02-26
  - latte_jed
- 1
- 2019-12-04
有一种方法可以提供比两个答案都更高的安全性(截至今天) https://tezos.stackexchange.com/a/607/29 (答案A)和 https://tezos.stackexchange.com/a/598/29 (答案B)建议.

如果签名人

仅接受魔术字节0x01,0x02,

并且签名者被防火墙防火墙保护,仅接受来自面包师IP的请求

并且隧道已加密(最好)

可以将未加密的签名者身份验证密钥保留在面包师中.您可以获得答案B的便利,但具有使用签名者身份验证密钥(答案A)的额外安全性.它不能保护您免受各种可能性的影响(目前无法使用
https://tezos.stackexchange.com/a/607/29 (Answer A) and https://tezos.stackexchange.com/a/598/29 (Answer B) suggest.

If the signer

only accepts magic bytes 0x01,0x02,

and the signer is firewalled to only accept request from the baker's IP

and the tunnel is encrypted (preferably),

it is ok to leave the unencrypted signer auth key in the baker. You get the convenience of answer B, but with the added security of using a signer auth key (answer A). It doesn't protect you against every possibility (it is not possible at this time to pass the password to the baker/endorser, AFAIK even using one of these methods), but by having an unencrypted signer auth key you are still avoiding some potential risks . For example, if a rogue machine obtains your IP (say you release the IP by accident, or your host misroutes your IP) the attacker still won't be able to even simply double bake/endorse.

Some might say it is more work for little gain, but I am a bit paranoid and don't like to take the easier route.

Bottom line, --require-authentication is not a substitute for other precautions.
- 原文
- Gaia

latte_jed · Accepted Answer · 2019-02-26

2

2019-02-26

正如评论中提到的那样,最正确的答案是:

否,您不能将--require-authentication与签名者一起使用进行烘烤.没有TTY,并且当需要执行背书/烘焙操作时,您无法解密身份验证密钥.

此处的最佳做法是在签名者和面包师之间使用加密隧道,以使签名者不能直接访问网络.