Re: Remote administration of a server
On Thu, 9 Jun 2005, Marty wrote:
> Regarding PKI, are there any Debian or non-Debian packages you recommend
Hi Marty. The ssh related packages in Debian contain everything you need.
> for this use? Can you elaborate on your reasoning here, for a
> non-expert in security, or at least point to some links? I am
> particularly interested in why you think PKI is better than the plain
> ssh password/login procedure for this application, and how you keep your
Password access is highly susceptible to a brute force attack where the
attack just cycles usernames and passwords. Breaking in using a method
like this isn't as hard as it first sounds as most people use fairly
easily guessed usernames (eg, first names) and passwords. I regularly see
attackers try this on my ssh daemons that don't accept password
authentication :)
PKI makes things much more difficult. An attacker would need both your
private key and your passphrase to gain entry. Brute forcing an ssh
daemon that only accepts PKI access is an intractable problem.
> keys secure (i.e. thumb drive? Floppy? Theft issues?)
All of the hosts I have private keys for are under my control or my
companies' control. We have some clients that move around a lot and they
do need keep their private keys on a usb drive.
As with everything in security some risk is always involved. A hosts
administrator may be sniffing keystrokes to get your passphrase and they
may be automatically nabbing any private keys they see - but in reality
this is not likely. If you think a machine is not safe don't ssh from it.
Cheers,
Rob
--
Robert Brockway B.Sc.
Senior Technical Consultant, OpenTrend Solutions Ltd.
Ph: +1-416-669-3073 Email: rbrockway@opentrend.net http://www.opentrend.net
OpenTrend Solutions: Reliable, secure solutions to real world problems.
Contributing Member of Software in the Public Interest http://www.spi-inc.org
Reply to: