[nycbug-talk] Hot Story: German Gov. intelligence agencies decrypt PGP, SSH

Isaac (.ike) Levy ike at blackskyresearch.net
Sun Jun 16 22:01:24 EDT 2013

On Jun 16, 2013, at 9:10 PM, nop <nop at insidiae.net> wrote:

> What are current protocols at peoples' work sites now?
> Whenever.

Often.  Of course everyone around me changes keys every morning, and right after lunch, M-F.  (So, weekends are still obviously a vulnerable time.)

I am of course kidding, but *nobody* likes talking about these policies, because most environments are willfully lax here.  Why?  I don't know.

Major gains can be had, by at least hitting the basics:

In web shops, I've repeatedly gotten the greenest daisy-fresh rookie web devs to adhere to (and not be upset about), the most basic policies, by making it simple, and providing a quick start doc to them which walks them through these 3 steps:

TASK FOR USERS (make keys):
1) be explicit about making keys
# cd ~/.ssh/ 
# ssh-keygen -C 'Optional Comment Goes Here' -b 4096 -t rsa -f id_rsa
(this can conform to whatever your policies are, crypto, key size, etc...)

2) explain in a sentence that private key must stay on your laptop, (make another doc or a footnote to show how to use ssh-agent, if your environment warrants it)

3) explain to send public key to the admins, (usb key or email or other, whatever your environment warrants).

If you don't treat your devs like idiots, they typically comply, and even *gasp* can be compelled to read some man pages.

For other policy basics, in small web shops, I can't tell you how valuable spot-checking key passwords are, e.g. ask a user to do the following:
# ssh-add -D
# ssh -i /path/to/some_key user at somehost

If no password prompt, revoke the user key, and make the user generate a new one.

For policy changes, I've found nothing but forcing "key changing parties" gets this to happen among users.  For admins, the key changing parties are a non-thing kind of event, like shaving or clipping toe-nails.

For non-admin/security types, a case of beer typically helps smooth the event along.

One last thing about ssh agent use, it can be a real problem in those unavoidable 'tons of eggs in the basket' systems in your infrastructure… Worth a discussion with your fellow admins, IMHO.

> I know the Google forces SSH key pair changes frequently (monthly or
> even weekly?), which makes sense.  It's not like forcing regular passwd
> changes and users recycling passwds or writing them down as a forced bad
> practice.
> I assume people at least use different keys for work and personal.. and
> use passwds with SSH and GPG/PGP?
> Natch.

Natches, on your belt, for every key changed.

(nop did teach me how to use ssh properly, once upon a time :)

> And that 2048-bit keys aren't a hassle to your CPU compared to 1024…

My .02¢

Shucks, 4096 bit RSA keys haven't been "too big" since 4u boxes were as punchy as my iPhone, (and the ssh logins could have a very noticeable effect on the performance of the MTA or web server on the box…).

Biggest keys everywhere, pretty much all the time, IMHO.

> You can "share" a connection in openssh now, so there is no reason to get crazy on those bits.
> http://protempore.net/~calvins/howto/ssh-connection-sharing/

Woah now.  Multiplexing is not only useful, it's also fun…  Not sure if fun is allowed.


More information about the talk mailing list