[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] The danger of SSH keys..

To: sage-members@usenix.org
Subject: Re: [SAGE] The danger of SSH keys..
From: Chris Henderson <sage@the-hendersons.org>
Date: Tue, 30 Jan 2007 10:29:24 -0600
In-Reply-To: <200701230519.l0N5J58Y003591@aopen.compata.com>
References: <410572049.20070122085528@puryear-it.com> <1255865152.20070122113513@puryear-it.com> <45B4FD68.2030000@samurai.com> <20070122181800.GB7195@deer-run.com> <45B506AC.7090905@samurai.com> <1096018946.20070122130129@puryear-it.com> <200701230519.l0N5J58Y003591@aopen.compata.com>
Sender: owner-sage-members@usenix.org
User-Agent: Thunderbird 1.5.0.9 (X11/20061219)



On 01/22/2007 11:19 PM, Dave Close wrote:
> With properly implemented password verification (such as including,
> for example, three wrong attempts requires manual intervention), there
> is really no way to crack a password from the outside, almost no matter
> how "weak" it might be. The weakness of passwords is a function of the
> weakness of the server: steal the data base and crack at your leisure.
> Making passwords "stronger" doesn't really have much impact on an
> attack of that sort. Changing passwords periodically also has almost
> no value against an offline crack (no attacker will wait three months
> before trying to use a discovered password). Your only defense is to
> keep the server itself secure.
>
> Some might respond that no security is perfect and the server might
> well be broken, so why not make the offline cracking take a little
> longer? But "stronger" passwords /don't/ make it take any longer, given
> the ability to use pre-computed dictionaries of any size. So you're back
> to trying to keep the server secure, which is the right approach anyway.
>
> Where a passwordless SSH key really presents a problem is that the
> "server" you need to secure is the client machine. It's the one with
> the password "data base", the private key itself. If you don't think
> securing that is possible, maybe you should require SSH users to use
> passwords, instead of or in addition to keys.
>   
One option is to make everyone hop through a well hardened host in order
to access the servers. That way compromised client only gets you to the
hardened host, and you can audit private keys on the hardened host to
make sure that they at least have a passphrase set. You can also control
ssh-keygen on that one machine to enforce a strong passphrase, control
access, etc.

--Chris Henderson

References:
- [SAGE] The danger of SSH keys..
  - From: "Dustin Puryear" <dustin@puryear-it.com>
- Re[2]: [SAGE] The danger of SSH keys..
  - From: "Dustin Puryear" <dustin@puryear-it.com>
- Re: [SAGE] The danger of SSH keys..
  - From: Bryan Fullerton <bryanf@samurai.com>
- Re: [SAGE] The danger of SSH keys..
  - From: Hal Pomeranz <hal@deer-run.com>
- Re: [SAGE] The danger of SSH keys..
  - From: Bryan Fullerton <bryanf@samurai.com>
- Re[2]: [SAGE] The danger of SSH keys..
  - From: "Dustin Puryear" <dustin@puryear-it.com>
- Re: Re[2]: [SAGE] The danger of SSH keys..
  - From: Dave Close <dave@compata.com>

Prev by Date: [SAGE] Survey about software upgrades
Next by Date: [SAGE] Survey about software upgrades
Prev by thread: Re: Re[2]: [SAGE] The danger of SSH keys..
Next by thread: Re: [SAGE] The danger of SSH keys..
Index(es):
- Date
- Thread