Re: ssh

[Allan Wind <allan_wind@lifeintegrity.com>]

On 2007-02-28T10:43:23-0800, Andrew Sackville-West wrote:
> On Wed, Feb 28, 2007 at 05:35:42PM +0100, Sven Arvidsson wrote:
> >
> > Another great package is libpam-ssh, unlocking your ssh keys at login
> > time, meaning you will only need to type a password once.
> 
> because I'm too lazy to research it, why is this any better than a
> passwordless key? If someone is using your login then your ssh keys
> are unlocked. 

If your private key does not have a password, then all an attacker needs
is a copy of the key (and public key).  The premises of ssh-agent is
that your password, once entered, is kept in "secure" memory, so the
attacker needs to either intercept your password when you enter it
before it is sent to ssh-agent, or compromise ssh-agent and still get a
copy of your private key.  In the former case the window of opportunity
is only when you login and the latter while your ssh-agent is running
(i.e. when you are logged in).

There are a couple of gotchas when switching to libpam-ssh namely that
pam does not seem to recursively resolve @include directives, so you
need something like this:

common-auth:
auth sufficient pam_ssh.so keyfiles=id_dsa
auth sufficient pam_unix.so try_first_pass nullok_secure

common-session:
session optional pam_ssh.so
session required pam_unix.so

in this case I removed my user password from /etc/shadow and use the
private key to authenticate on.  root has a password in /etc/shadow.

And make sure that your X session does not start another ssh-agent (I
had a .gnomerc that did that).


/Allan