[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] The danger of SSH keys..

To: Leon Towns-von Stauber <leonvs@occam.com>
Subject: Re: [SAGE] The danger of SSH keys..
From: Gene Rackow <rackow@mcs.anl.gov>
Date: Mon, 22 Jan 2007 12:23:42 -0600
cc: "Dustin Puryear" <dustin@puryear-it.com>, SAGE Members Mailing List <sage-members@usenix.org>, general@brlug.net
In-reply-to: Your message of "Mon, 22 Jan 2007 08:42:21 PST." <34f63e5e69e99445d121422c14c3ce89@occam.com>
Sender: owner-sage-members@usenix.org

I agree that having "passwords" on a system make it easier for you
to enforce a complexity policy on them.  You'd need to know the
clear-text at some point to be able to set and/or check that the
password entered is valid.  Unfortunately the fact that it's a
reusable password means that it's vulnerable.  It doesn't matter if
that password is store as crypt, MD5, blowfish, or something really
ugly.  It also doesn't matter if that password is in /etc/passwd,
NIS, LDAP, kerberos, or even an ssh-pass-phrase.  Let someone crack
that password or shoulder surf you sometime and they now have the
keys to the kingdom.   Once that happens, what's going to stop the
hacker from getting onto the target machine at 3am Sunday morning?

The core of the issues here are recognizing the risks involved with
each of the options, and finding ways of mitigating those risks.
Then re-examining those risks in regards to the stupid user tricks
that will be used to get around the policy and/or mitigations.

If people are worried about setting a corp policy, they could
maintain the list of pub/private keys and which have been checked
out by some security official for complexity.  Lots of work for
someone, and not necessarily all that useful.  Once the keys
are created, the user could easily change the password on the
private key.  It really doesn't prevent the user from putting that
pass phrase on a postit on their keyboard.

I've also seen where a site forced people to use a crypto card.
To get around needing to carry that with you all the time, someone
set one up in front of a web-cam.  Now to login, that user goes
to the web page and is able to read the latest string shown.  Doh...
If your crypto card needs a button push, just rig up a little solenoid.

I'm a little more paranoid than that.
My private key is maintained via my laptop, not on a shared system
home directory.  It has been moved off to a usb device, so that it
isnt' even on my laptop if/when someone might steal it.  The usb
is on my keyring, not in my laptop bag.  My passphrase stays local
on that laptop so I'm not as concerned about the remote machine being
root-kitted and someone getting the passphase that way.   The laptop is
also rather tightly locked down on what services are available when.

This also means that nobody will be able to automaticly audit this key
for password complexity, etc.  It's not a key they have access to.  If
I need to generate a key that matches some complexity rules, that can be
done, but I'd rather not make the private key for any session even
semi-public.  Different keys are in place for connecting to different
hosts or sites.


/~\ The ASCII         Gene Rackow               email: rackow@anl.gov
\ / Ribbon Campaign   Cyber Security Office     voice: 630-252-7126
 X  Against HTML      Argonne National Lab      
/ \ Email!            9700 S. Cass Ave. / Argonne, IL  60439

References:
- Re: [SAGE] The danger of SSH keys..
  - From: Leon Towns-von Stauber <leonvs@occam.com>

Prev by Date: Re: [SAGE] The danger of SSH keys..
Next by Date: Re: [SAGE] The danger of SSH keys..
Prev by thread: Re[2]: [SAGE] The danger of SSH keys..
Next by thread: Re: [SAGE] The danger of SSH keys..
Index(es):
- Date
- Thread