[nycbug-talk] Analyzing malicious SSH login attempts

David Lawson dave at donnerjack.com
Wed Sep 13 11:34:07 EDT 2006

On Sep 13, 2006, at 10:35 AM, Isaac Levy wrote:

> Lock a key with a passphrase, so you unlock them on your local
> computer when you use them.
> Some admins like the fact that unlocked keys let them jump to-and-fro
> between machines without having to enter passwords, I feel this is
> silly and have seen borderline irresponsible uses of keys in this
> manner.  If you don't lock your keys, anyone can use it- and you have
> to spend an inordinate amount of time protecting them against
> overwhelming threats.
> This is where ssh-agent and the other keychain apps come into play,
> because they let you authenticate your keys once locally, but again
> this opens the door to various and common local threats.  Is it
> really that cumbersome to enter a passphrase for each ssh login?
> **caveat** It does get messy to manage using multiple keys without
> ssh-agent.  However, a caveat to that caveat, is that using many keys
> discourages admins from changing their keys regularly,  which I see
> as a MUCH larger threat :)
> --
> If you lock your private keys with a local passphrase, you can then
> happily toss them around to different trusted systems, keep them on
> your iPod, whatever you choose to trust.
> The threat here is that someone would run a dictionary attack against
> your keys themselves, so you still want to be very conservative with
> where they live.  Also, one must of course trust any machine where
> they *unlock* those keys, (any machine which you ssh OUT of).

This is really the only part of what Ike has to say that I'd disagree  
with.  Personally, I've found that, yes, it is cumbersome to be  
entering a passphrase for every login to a machine, and that negates  
a lot of the convenience that comes with using ssh keys and makes  
their added security attractive to admins.  The various key  
management tools (SSHKeychain, ssh-agent) can all be configured  
securely, to time out the authorization of a key after a given period  
of time so the passphrase has to be re-entered, and a passphrase  
would be, to say the least, extremely difficult to dictionary attack,  
since the theory is, rather than a word, it's phrase.  The only real  
option is to brute force the passphrase, which isn't going to be  
terribly effective if it's of a reasonable length.  The flip side of  
this is that I can't think of any good reason, when using an agent to  
manage your keys, to have an un-passphrase protected private key.   
That would strike me as an extremely irresponsible way to manage  
access, since that really does depend entirely upon the security of  
they private key file.

My experience has been that a passphrase protected ssh key with a  
management agent (SSHKeychain in my case), makes managing secure  
access to large numbers of machines vastly, vastly simpler than it  
would be using passwords.   Some of that, I think, will vary  
depending on your working environment and needs, but in general I've  
become a huge fan of keys and agent forwarding over the last few  
years, so personally I can't really think of a good argument  
_against_ using keys to do authentication, though I'd be interested  
to hear one if one exists.


More information about the talk mailing list