[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: [SAGE] The danger of SSH keys..

To: Bryan Fullerton <bryanf@samurai.com>
Subject: Re[2]: [SAGE] The danger of SSH keys..
From: "Dustin Puryear" <dustin@puryear-it.com>
Date: Mon, 22 Jan 2007 13:01:29 -0600
cc: SAGE Members Mailing List <sage-members@usenix.org>
In-Reply-To: <45B506AC.7090905@samurai.com>
Organization: Puryear Information Technology, LLC
References: <410572049.20070122085528@puryear-it.com>
References: <1255865152.20070122113513@puryear-it.com>
References: <45B4FD68.2030000@samurai.com>
References: <20070122181800.GB7195@deer-run.com>
References: <45B506AC.7090905@samurai.com>
Reply-To: "Dustin Puryear" <dustin@puryear-it.com>
Sender: owner-sage-members@usenix.org

And to me, that is where strength should be added: At the server. The
main issue I am raising with keys is that the security of the key is
entirely a client issue. There is no way for me to really enforce
anything on the server.

With keys, I want the ability to:

1. Expire keys at the server, even if that means rotating the public
key out of authorized_keys2 (this could be done today using scripts).

2. Remove public keys when an employee is fired. Really, this can all
be handled now via homedirs, requiring sudo, and protecting my root
authorized_keys2.

3. Require private keys to have strong passwords (no realistic way to
enforce this).

With this, I think the strength in using SSH keys could be
dramatically increased.

---
Puryear Information Technology, LLC
Baton Rouge, LA * 225-706-8414
http://www.puryear-it.com

Author:
  "Best Practices for Managing Linux and UNIX Servers"
  "Spam Fighting and Email Security in the 21st Century"

Download your free copies:
  http://www.puryear-it.com/publications.htm

Monday, January 22, 2007, 12:47:08 PM, you wrote:

> Hal Pomeranz wrote:
>>> If you're not up to coding it yourself you could submit a feature 
>>> request (with associated offer to fund development if you really want 
>>> it). If the OpenSSH folks added it themselves it could likely be managed 
>>> via an associated config option.
>>>     
>>
>> The problem with doing this is a config option is that any such checks
>> would of course have to be implemented in the client binaries (including
>> ssh-keygen).  The problem is that there's no way to enforce global 
>> administrative policies on the client side, because the user can always
>> override configuration settings in ssh_config with command-line options.
>> It's similar to the problem of trying to enforce StrictHostKeyChecking
>> across an entire site.
>>
>>   
> True, and it doesn't get around people installing their own client binaries.

> I wonder if there'd be value in extending the SSH protocol to also allow
> encrypting the public key with a passphrase, which could then be 
> validated for length on the server during initial handshake.

> Bryan

Follow-Ups:
- Re: [SAGE] The danger of SSH keys..
  - From: Bryan Fullerton <bryanf@samurai.com>
- Re: Re[2]: [SAGE] The danger of SSH keys..
  - From: Dave Close <dave@compata.com>
- Re: [SAGE] The danger of SSH keys..
  - From: "James J. Barlow" <jbarlow@ncsa.uiuc.edu>

References:
- [SAGE] The danger of SSH keys..
  - From: "Dustin Puryear" <dustin@puryear-it.com>
- Re[2]: [SAGE] The danger of SSH keys..
  - From: "Dustin Puryear" <dustin@puryear-it.com>
- Re: [SAGE] The danger of SSH keys..
  - From: Bryan Fullerton <bryanf@samurai.com>
- Re: [SAGE] The danger of SSH keys..
  - From: Hal Pomeranz <hal@deer-run.com>
- Re: [SAGE] The danger of SSH keys..
  - From: Bryan Fullerton <bryanf@samurai.com>

Prev by Date: Re: [SAGE] The danger of SSH keys..
Next by Date: [SAGE] Re: Are cheap SSL certificates legitimate?
Prev by thread: Re: [SAGE] The danger of SSH keys..
Next by thread: Re: [SAGE] The danger of SSH keys..
Index(es):
- Date
- Thread