LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

October 2008

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS October 2008

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Security Breach
From:	Dr Andrew C Aitchison <[log in to unmask]>
Reply To:	Dr Andrew C Aitchison <[log in to unmask]>
Date:	Thu, 2 Oct 2008 16:44:21 +0100
Content-Type:	TEXT/PLAIN
Parts/Attachments:	TEXT/PLAIN (24 lines)

On Thu, 2 Oct 2008, Rhys Morris wrote:

> The disadvantage of ssh keys was made clear to us recently when a machine in 
> a different University was root compromised. The attackers stole all the ssh 
> keys they could find, and briefly obtained access to my systems via the 
> account of a former student.
>
> Should you allow ssh key access from machines you have no control over?

The technical answer is
 	ssh keys should always be passphrase protected

Unfortunately the biggest selling point to users is that ssh keys
can be generated without a password/phrase, so they do.
ssh_agent means that if they set things up right they only have to
enter the passphrase once per session* but is that enforceable ?

* or possibly every now and then when it has expired, which would
give some protection against anyone wandering up to an idle machine.

-- 
Dr. Andrew C. Aitchison		Computer Officer, DPMMS, Cambridge
[log in to unmask]	http://www.dpmms.cam.ac.uk/~werdna

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV