LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

October 2008

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS October 2008

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Security Breach
From:	Rhys Morris <[log in to unmask]>
Reply To:	Rhys Morris <[log in to unmask]>
Date:	Thu, 2 Oct 2008 16:14:51 +0100
Content-Type:	TEXT/PLAIN
Parts/Attachments:	TEXT/PLAIN (72 lines)

The disadvantage of ssh keys was made clear to us recently when a 
machine in a different University was root compromised. The attackers 
stole all the ssh keys they could find, and briefly obtained access to 
my systems via the account of a former student.

Should you allow ssh key access from machines you have no control 
over?

Something to ponder,

Rhys

On Thu, 2 Oct 2008, Robert E. Blair wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Another alternative is to turn off password authentication and allow
> only public key.  This way the brute forcers can guess all they want and
> never get lucky.  If you need a "card" you can always put your encrypted
> private key / public key pair on a thumb drive which is a very low cost
> option that fits on your keychain.  I believe this approach is
> reasonably platform independent (but I don't us windows so I do not
> speak with authority on this).
>
> Cheers,
> Bob Blair
>
>
> Brett Viren wrote:
>> Faye Gibbins <[log in to unmask]> writes:
>>
>>> Dr Andrew C Aitchison wrote:
>>>
>>>> ssh-agent means that although the ssh keys aren't stored on disk
>>>> they *are* held in memory much of the time. Given that many laptops
>>>> are suspended and rarely rebooted, do you have a way of ensuring
>>>> that the machine regularly reconfirms the user's identity ?
>>>>
>>> Kerberosized ssh.
>>
>> Another, somewhat arcane, option is to use OpenPGP smart cards along
>> with GnuPG's gpg-agent.  The keys remain on the card and the card does
>> the PGP authentication.  Take the card out of the reader and no
>> subsequent authentication can be done.
>>
>> I've evaluated this method and it does work but requires some amount
>> of effort to set up.  As far as I know there is only one supplier[1].
>> I also don't expect it to work on non-Linux platforms.  But, besides
>> all these negatives, it is a nice solution that also gives the user
>> the usual benefits of PGP.
>>
>>
>> -Brett.
>>
>> [1] http://www.g10code.com/p-card.html
>
> - --
> Robert E. Blair, Room E277, Building 362
> Argonne National Laboratory (High Energy Physics Division)
> 9700 South Cass Avenue, Argonne, IL 60439, USA
> Phone: (630)-252-7545  FAX: (630)-252-5782
> GnuPG Public Key: http://www.hep.anl.gov/reb/key.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
>
> iD8DBQFI5NenOMIGC6x7/XQRAr+zAJ9mWyN9D06N49OiQEdwT1A1NMhA0ACgumk9
> odDk4dw+dAWr0Q88RTmTGF4=
> =1PEQ
> -----END PGP SIGNATURE-----
>

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV