[ale] Holy cow! Published in Slashdot!!

Scott Plante splante at insightsys.com
Wed Jan 2 20:41:10 EST 2013 

I think it might be hard, in my case anyway, to eliminate all the log files, /etc/hosts entries, .ssh/config entries, and other locations where good guesses on where to try hacked ssh keys. 


By the way, to answer my own question, it appears that you only need the private key half to brute force a ssh key, and this project (possibly among others?) will do it. 
http://www.leidecker.info/projects/phrasendrescher/index.shtml 
Therefore, there is no advantage to obfuscating your public keys or separating them from your private keys. 


Scott 
----- Original Message -----

From: "Wolf Halton" <wolf.halton at gmail.com> 
To: "Atlanta Linux Enthusiasts" <ale at ale.org> 
Sent: Monday, December 31, 2012 7:45:18 PM 
Subject: Re: [ale] Holy cow! Published in Slashdot!! 



If you remove the human-readable user at server-example.com from the end of the keys in authorized_keys and maybe edit your history on the sending server, how will they know where to go, even if they are sitting at the console of your not-publicly-accessible workstation? 

I think authorized keys is the lesser evil. I also shell in through a vpn tunnel to most of my servers, so unless they know my keyring password, they cannot access any machines anyway. 




On Fri, Dec 28, 2012 at 11:37 AM, Scott Plante < splante at insightsys.com > wrote: 




Presumably you're using ssh-agent & ssh-add, not just creating keys without passphrases. Other than for some very limited accounts designed for cron tasks, I can't see a good reason for having ssh keys without a good passphrase. Then, even if your box gets compromised the keys can't be used without the passphrase (but you don't have to type it for each individual ssh command either!) I used ssh for years before bothering to learn how to set up ssh-agent/ssh-add. It's definitely made life easier. Since you don't have to type it as often, you can make a longer, more complex passphrase. I'd hate to type 16 characters for every ssh/scp I have to do! 


Of course, once you have access to the public and private keys, the passphrase could be brute forced without connecting to the remote system, correct? In that sense, a passphrase is less secure than a password you use to connect to a remote system, as the remote system can detect incorrect guesses and lock the account. Does it make sense to keep your public keys separate from and not easily associated with your private keys, just in case your box does need get hacked? Do you need the public key to brute force the passphrase on a private key? 


Congrats, Charles! 


Scott 



From: "James Sumners" < james.sumners at gmail.com > 
To: "Atlanta Linux Enthusiasts" < ale at ale.org > 
Sent: Thursday, December 27, 2012 2:27:27 PM 
Subject: Re: [ale] Holy cow! Published in Slashdot!! 



Hell with that. I create a new key for each system and add an entry to my ~/.ssh/config to use it. Thus, I use a unique key for each system and forget all about using a password to connect. 

On Thursday, December 27, 2012, Michael B. Trausch wrote: 

<blockquote>
On 12/27/2012 09:18 AM, Charles Shapiro wrote: 
> A lifelong ambition is fulfilled... I make Slashdot's front page ( 
> http://yro.slashdot.org/story/12/12/26/1459248/lax-ssh-key-management-a-big-problem 
> ) !! 
> 
> charlesTheLurker is me... I reckon it's time to update the ol' resume. 

Awesome! :-) 

Some of the comments on that article from people that claim to be in the 
field are a bit disturbing, though... 

Brings up an interesting point. Moving away from passwords to cached 
private keys is something that most people _do_ see as lesser security, 
despite the fact that when properly managed it provides far better 
security. I wonder how it is we're supposed to combat that problem. 
Education doesn't work; a lot of people's eyes glaze over if you try to 
explain to them how it provides superior security. 

--- Mike 

_______________________________________________ 
Ale mailing list 
Ale at ale.org 
http://mail.ale.org/mailman/listinfo/ale 
See JOBS, ANNOUNCE and SCHOOLS lists at 
http://mail.ale.org/mailman/listinfo 




-- 
James Sumners 
http://james.roomfullofmirrors.com/ 

"All governments suffer a recurring problem: Power attracts pathological personalities. It is not that power corrupts but that it is magnetic to the corruptible. Such people have a tendency to become drunk on violence, a condition to which they are quickly addicted." 

Missionaria Protectiva, Text QIV (decto) 
CH:D 59 

_______________________________________________ 
Ale mailing list 
Ale at ale.org 
http://mail.ale.org/mailman/listinfo/ale 
See JOBS, ANNOUNCE and SCHOOLS lists at 
http://mail.ale.org/mailman/listinfo 


_______________________________________________ 
Ale mailing list 
Ale at ale.org 
http://mail.ale.org/mailman/listinfo/ale 
See JOBS, ANNOUNCE and SCHOOLS lists at 
http://mail.ale.org/mailman/listinfo 


</blockquote>



-- 
Wolf Halton 
This Apt Has Super Cow Powers - http://sourcefreedom.com 
Open-Source Software in Libraries - http://FOSS4Lib.org 
Advancing Libraries Together - http://LYRASIS.org 
Apache Open Office Developer wolfhalton at apache.org 

_______________________________________________ 
Ale mailing list 
Ale at ale.org 
http://mail.ale.org/mailman/listinfo/ale 
See JOBS, ANNOUNCE and SCHOOLS lists at 
http://mail.ale.org/mailman/listinfo 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130102/6ab8b1fd/attachment-0001.html>

More information about the Ale mailing list