[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] The danger of SSH keys..

To: sage-members@sage.org
Subject: Re: [SAGE] The danger of SSH keys..
From: Richard Chycoski <rskiadmin@chycoski.com>
Date: Mon, 22 Jan 2007 10:50:55 -0800
Authentication-Results: sj-dkim-4; header.From=rskiadmin@chycoski.com; dkim=neutral
CC: Neil Watson <sage@watson-wilson.ca>
In-Reply-To: <20070122182307.GD28453@watson-wilson.ca>
References: <410572049.20070122085528@puryear-it.com> <1255865152.20070122113513@puryear-it.com> <45B4FD68.2030000@samurai.com> <20070122181800.GB7195@deer-run.com> <20070122182307.GD28453@watson-wilson.ca>
Reply-To: rskiadmin@chycoski.com
Sender: owner-sage-members@usenix.org
User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)

Yes - passphrases associated with a specific command (rather than an open 
shell) and with the private keys stored on properly controlled machines are an 
example where passwordless keys can be an acceptable security risk for many 
environments.

It all depends on your security needs, the environment in which the keys are 
being stored, and the medium across which the data is being transported.

With properly secured endpoints I do not have a problem with passwordless keys 
in a controlled environment. This is better than a weak password - it takes a 
lot more work (and computing power) to attack a system that has a passwordless 
SSH key (assuming a reasonably large key size - a few years ago RSA was 
recommending at least a 2048 bit key, I haven't heard if they have increased 
that recommendation lately) than to crack an even reasonably crafted system 
password. (And users have ways of crafting passwords that satisfy most 
rulesets but are still crackable.) And I've never seen someone write down 
their SSH private key and leave it attached to the their monitor. (:-)

However, if the private key is stored on a personal laptop that can be lost or 
stolen, I'm more concerned. If you have that kind of security problem then 
disallow the use of keys and start requiring two-factor authentication, 
preferably with a hardware token. You can also strengthen this by using 
encrypted filesystems and stronger access methods for the laptops, but this 
can be difficult to implement and enforce in many organisations unless 
mandated by law.

Somewhere in the middle is a grey area - do you trust passwordless keys from 
desktops (non-portable systems) that are located on your intranet? SSH 
keyagents can help, but can also create more loopholes than passwordless keys.

You have to evaluate the level of security that you need against the risk of 
being compromised and apply it to your own environment.

- Richard

Neil Watson wrote:
> There are times when there is a legitimate reason for using a key with
> no pass-phrase.  Globally restricting this may cause a problem even as
> it solves another.
>

References:
- [SAGE] The danger of SSH keys..
  - From: "Dustin Puryear" <dustin@puryear-it.com>
- Re[2]: [SAGE] The danger of SSH keys..
  - From: "Dustin Puryear" <dustin@puryear-it.com>
- Re: [SAGE] The danger of SSH keys..
  - From: Bryan Fullerton <bryanf@samurai.com>
- Re: [SAGE] The danger of SSH keys..
  - From: Hal Pomeranz <hal@deer-run.com>
- Re: [SAGE] The danger of SSH keys..
  - From: Neil Watson <sage@watson-wilson.ca>

Prev by Date: Re: [SAGE] The danger of SSH keys..
Next by Date: Re[2]: [SAGE] The danger of SSH keys..
Prev by thread: Re: [SAGE] The danger of SSH keys..
Next by thread: Re: [SAGE] The danger of SSH keys..
Index(es):
- Date
- Thread