[nycbug-talk] Analyzing malicious SSH login attempts
dave at donnerjack.com
Wed Sep 13 11:34:07 EDT 2006
On Sep 13, 2006, at 10:35 AM, Isaac Levy wrote:
> Lock a key with a passphrase, so you unlock them on your local
> computer when you use them.
> Some admins like the fact that unlocked keys let them jump to-and-fro
> between machines without having to enter passwords, I feel this is
> silly and have seen borderline irresponsible uses of keys in this
> manner. If you don't lock your keys, anyone can use it- and you have
> to spend an inordinate amount of time protecting them against
> overwhelming threats.
> This is where ssh-agent and the other keychain apps come into play,
> because they let you authenticate your keys once locally, but again
> this opens the door to various and common local threats. Is it
> really that cumbersome to enter a passphrase for each ssh login?
> **caveat** It does get messy to manage using multiple keys without
> ssh-agent. However, a caveat to that caveat, is that using many keys
> discourages admins from changing their keys regularly, which I see
> as a MUCH larger threat :)
> If you lock your private keys with a local passphrase, you can then
> happily toss them around to different trusted systems, keep them on
> your iPod, whatever you choose to trust.
> The threat here is that someone would run a dictionary attack against
> your keys themselves, so you still want to be very conservative with
> where they live. Also, one must of course trust any machine where
> they *unlock* those keys, (any machine which you ssh OUT of).
This is really the only part of what Ike has to say that I'd disagree
with. Personally, I've found that, yes, it is cumbersome to be
entering a passphrase for every login to a machine, and that negates
a lot of the convenience that comes with using ssh keys and makes
their added security attractive to admins. The various key
management tools (SSHKeychain, ssh-agent) can all be configured
securely, to time out the authorization of a key after a given period
of time so the passphrase has to be re-entered, and a passphrase
would be, to say the least, extremely difficult to dictionary attack,
since the theory is, rather than a word, it's phrase. The only real
option is to brute force the passphrase, which isn't going to be
terribly effective if it's of a reasonable length. The flip side of
this is that I can't think of any good reason, when using an agent to
manage your keys, to have an un-passphrase protected private key.
That would strike me as an extremely irresponsible way to manage
access, since that really does depend entirely upon the security of
they private key file.
My experience has been that a passphrase protected ssh key with a
management agent (SSHKeychain in my case), makes managing secure
access to large numbers of machines vastly, vastly simpler than it
would be using passwords. Some of that, I think, will vary
depending on your working environment and needs, but in general I've
become a huge fan of keys and agent forwarding over the last few
years, so personally I can't really think of a good argument
_against_ using keys to do authentication, though I'd be interested
to hear one if one exists.
More information about the talk