[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] The danger of SSH keys..

To: "Meenoo Shivdasani" <meenoo@gmail.com>
Subject: Re: [SAGE] The danger of SSH keys..
From: "Dana Quinn" <dquinn@gmail.com>
Date: Mon, 22 Jan 2007 09:17:12 -0800
Cc: sage-members@usenix.org
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Pt5cexgvWc4kFbZb3sE8kkgM3HAzi8s917gaKQ0J2LZQgF64rQaGDx3VMlZOsUD9HJLC+WydpPnXyIKJcAw3CUa6wU+Z2by+diLQjfdy5Q7sQT8L+s3xYZtkH2ekoyXveS0+Xc4QdjuuIJZ53tKTY2vfE9Cw+EiSgfbOv55k0Ak=
In-Reply-To: <b5e09e920701220847o53bb5a9fu71535ac2ceee4336@mail.gmail.com>
References: <410572049.20070122085528@puryear-it.com> <d6bfee120701220811n6bca9890h25c2175b8340fd32@mail.gmail.com> <b5e09e920701220847o53bb5a9fu71535ac2ceee4336@mail.gmail.com>
Reply-To: danaq@pobox.com
Sender: owner-sage-members@usenix.org

nothing, i imagine.

also doesn't stop people from compiling their ssh binaries.  or many
other ways of getting around.

this approach also assumes a lot of things - standardized desktop
builds, packaging (so that people aren't using their own [or redhat's]
build of ssh-keygen), other things.

but it works fairly well in this environment, because when ssh-keygen
is run, and the person hits return for a blank password, they get a
message about how it's against corporate policy, so on.  so someone
choosing to work around that *probably* has already received a
reminder that they aren't supposed to do it that way.

in practice, i've seen it stops 99% of the attempts to do it, and they
go try to solve their problem another way.  (it's usually developers
trying to push things automatically, the company has other, approved
ways to do that sort of thing)

whether the 1% of attempts that continue around this block are more
dangerous or less dangerous to overall company security is probably
something people argue about.  I've not seen what happens when a 1%-er
is uncovered, but that could be handled by a standard company policy.

so this isn't exactly what Dustin has asked for, but it's been a
useful approach so far.

dana

On 1/22/07, Meenoo Shivdasani <meenoo@gmail.com> wrote:
> On 1/22/07, Dana Quinn <dquinn@gmail.com> wrote:
> > Make it so people only have access to a keygen binary that requires a
> > password.  I'm aware of a large company that does this fairly
> > successfully.  Could get unwieldy as you need to cover all the
>
> What stops someone from taking a key generated with that binary,
> importing into another key management tool, removing the keyphrase,
> and saving it back out?
>
> M
>

-- 
Dana Quinn
danaq@pobox.com

References:
- [SAGE] The danger of SSH keys..
  - From: "Dustin Puryear" <dustin@puryear-it.com>
- Re: [SAGE] The danger of SSH keys..
  - From: "Dana Quinn" <dquinn@gmail.com>
- Re: [SAGE] The danger of SSH keys..
  - From: "Meenoo Shivdasani" <meenoo@gmail.com>

Prev by Date: Re: [SAGE] The danger of SSH keys..
Next by Date: Re: [SAGE] The danger of SSH keys..
Prev by thread: Re: [SAGE] The danger of SSH keys..
Next by thread: Re: [SAGE] The danger of SSH keys..
Index(es):
- Date
- Thread