Re: Darn skiddies (ssh login attempts)

To: debian-security@lists.debian.org
Subject: Re: Darn skiddies (ssh login attempts)
From: Michael Stone <mstone@debian.org>
Date: Mon, 04 Apr 2005 12:57:22 -0400
Message-id: <[🔎] 20050404165722.GJ11577@mathom.us>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 42516F62.1040703@salk.edu>
References: <200503312244.53499.bmsims1@insightbb.com> <[🔎] 20050401074008.GB12840@sandbender> <[🔎] 6b9f80f9ed993c425821b4c7f0440b07@salk.edu> <[🔎] 20050401142350.GB11577@mathom.us> <[🔎] b0f6725b82f919fdd20c9376cb9a590c@salk.edu> <[🔎] 20050404000320.GG11577@mathom.us> <[🔎] 42516F62.1040703@salk.edu>

On Mon, Apr 04, 2005 at 09:46:26AM -0700, Chris Adams wrote:

Policy was the wrong word - the basic idea is just that either way theusers have a password but a private key isn't directly replayable sincethe attacker doesn't actually receive the key information or password.


Depending on the attack. That's the point I'm making--rsa keys protect
against certain attacks but do absolutely nothing about other attacks
and shouldn't be seen as a magic bullet.

Central distribution is also quite easy and allows you to decide howmuch control you want over the process - simply change the authorizedkey path to a directory which isn't user-writable and use your existingmanagement tools to synchronize changed keys.


Dude, that does *nothing* to manage the private key.

Not entirely. With passwords there's the important requirement that a
password actually be sent through a compromised machine. With private
keys, you're in trouble if any machine that the user happened to leave
the key on gets compromised.
Only if the key wasn't protected with a password - sure, it's possiblefor an attacker to brute-force the key but that's a lot more work thanthey'd have to do if you're using password authentication and it givesyou more time to detect the intrusion and get users to change their keys.


Huh? You do realize that the passphrase on the private key can be brute
forced, and that it's possible to do so without connecting to the target
system at all? (So that there is no record that someone is trying to
brute-force the key password.)

More importantly, good policy also tells users to use ssh-agent insteadof copying private keys all over the place - sure, not everyone will doit but the same is true of password policies


No, password policies are enforceable--you control what the user can set
the password to. Key management policies are not enforceable. ssh-agent
also intruduces another vulnerability in that new sessions can be
started using the secret key for authentication without the user being

aware that it's happening.

The easiest way is simply to replace ssh-keygen with a wrapper whichcalls cracklib before passing the password to the real ssh-keygen. Thisalso has the advantage of reusing any existing cracklib policy.


Interesting. Now how do you keep the user from resetting their password
on any system where you aren't controlling the ssh-keygen?

Mike Stone

Reply to:

Follow-Ups:
- Re: Darn skiddies (ssh login attempts)
  - From: Chris Adams <cadams@salk.edu>

References:
- Re: Darn skiddies (ssh login attempts)
  - From: Robert Lemmen <robertle@semistable.com>
- Re: Darn skiddies (ssh login attempts)
  - From: Chris Adams <cadams@salk.edu>
- Re: Darn skiddies (ssh login attempts)
  - From: Michael Stone <mstone@debian.org>
- Re: Darn skiddies (ssh login attempts)
  - From: Chris Adams <cadams@salk.edu>
- Re: Darn skiddies (ssh login attempts)
  - From: Michael Stone <mstone@debian.org>
- Re: Darn skiddies (ssh login attempts)
  - From: Chris Adams <cadams@salk.edu>

Prev by Date: Re: Darn skiddies (ssh login attempts)
Next by Date: Re: Darn skiddies (ssh login attempts)
Previous by thread: Re: Darn skiddies (ssh login attempts)
Next by thread: Re: Darn skiddies (ssh login attempts)
Index(es):
- Date
- Thread