Subject: | |
From: | |
Reply To: | |
Date: | Thu, 2 Oct 2008 16:14:51 +0100 |
Content-Type: | TEXT/PLAIN |
Parts/Attachments: |
|
|
The disadvantage of ssh keys was made clear to us recently when a
machine in a different University was root compromised. The attackers
stole all the ssh keys they could find, and briefly obtained access to
my systems via the account of a former student.
Should you allow ssh key access from machines you have no control
over?
Something to ponder,
Rhys
On Thu, 2 Oct 2008, Robert E. Blair wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Another alternative is to turn off password authentication and allow
> only public key. This way the brute forcers can guess all they want and
> never get lucky. If you need a "card" you can always put your encrypted
> private key / public key pair on a thumb drive which is a very low cost
> option that fits on your keychain. I believe this approach is
> reasonably platform independent (but I don't us windows so I do not
> speak with authority on this).
>
> Cheers,
> Bob Blair
>
>
> Brett Viren wrote:
>> Faye Gibbins <[log in to unmask]> writes:
>>
>>> Dr Andrew C Aitchison wrote:
>>>
>>>> ssh-agent means that although the ssh keys aren't stored on disk
>>>> they *are* held in memory much of the time. Given that many laptops
>>>> are suspended and rarely rebooted, do you have a way of ensuring
>>>> that the machine regularly reconfirms the user's identity ?
>>>>
>>> Kerberosized ssh.
>>
>> Another, somewhat arcane, option is to use OpenPGP smart cards along
>> with GnuPG's gpg-agent. The keys remain on the card and the card does
>> the PGP authentication. Take the card out of the reader and no
>> subsequent authentication can be done.
>>
>> I've evaluated this method and it does work but requires some amount
>> of effort to set up. As far as I know there is only one supplier[1].
>> I also don't expect it to work on non-Linux platforms. But, besides
>> all these negatives, it is a nice solution that also gives the user
>> the usual benefits of PGP.
>>
>>
>> -Brett.
>>
>> [1] http://www.g10code.com/p-card.html
>
> - --
> Robert E. Blair, Room E277, Building 362
> Argonne National Laboratory (High Energy Physics Division)
> 9700 South Cass Avenue, Argonne, IL 60439, USA
> Phone: (630)-252-7545 FAX: (630)-252-5782
> GnuPG Public Key: http://www.hep.anl.gov/reb/key.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
>
> iD8DBQFI5NenOMIGC6x7/XQRAr+zAJ9mWyN9D06N49OiQEdwT1A1NMhA0ACgumk9
> odDk4dw+dAWr0Q88RTmTGF4=
> =1PEQ
> -----END PGP SIGNATURE-----
>
|
|
|