|| ||Mark Janssen <maniac.nl-AT-gmail.com> |
|| ||Davi Diaz <davi-AT-leals.com> |
|| ||Re: OpenSSH daemon security bug? |
|| ||Tue, 5 Jan 2010 16:21:34 +0100|
|| ||Article, Thread
On Tue, Jan 5, 2010 at 4:01 PM, Davi Diaz <firstname.lastname@example.org> wrote:
> A co-worker argues we can login using only password to a "ssh-key restricted
> host (PasswordAuthentication no)", without being asked by any passphase; just
> by putting a key (no need to be the private key) on another password-based
> It that true? I do not think so. Â I would name that as an "important OpenSSH
> daemon security bug". That is because I think it is not true.
You can only login using keys if the public key is included in the
'authorized_keys' file on the server. The ssh client will read the
private key (passphrased or not, ask for a passphrase if needed (or
read from an agent)).
The server has no way of knowing if the key had a passphrase (was
encrypted), as it never sees the private key. The private key is only
used for authentication/encryption on the client-side.
> co-worker wrote:
>> You cannot distinguish passphrased keys from passphraseless ones.
True (server never sees the key, only the result of computations on
the decrypted key)
> I think the OpenSSH daemon will take care to ask for a key passphrase before
> using a key to open an encrypted channel.
False, the client handles keys
> A ssh key which requires a ssh passphrase to be usable can not be used to open
> a ssh connection if such ssh passphrase is not provided, as it is part of the
> encryption algorithm.
> I know we can create ssh keys without passphrases (useful for unattended
> backups, scripts and so on). Â However our users will be told not to do that,
> of course, as they are told not to create weak passwords.
> co-worker wrote:
>> I am all for encouraging key-based logins, but I think disabling
>> password logins completely actually reduces security.
I must agree here, while keys are better then passwords, it's
impossible to enforce passphrase quality on keys, while it is possible
to enforce some quality on passwords.
Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x357D2178 | ,''`. |
Unix / Linux Open-Source and Internet Consultant @ Snow.nl | : :' : |
Maniac.nl MarkJanssen.nl NerdNet.nl Unix.nl | `. `' |
Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet | `- |
openssh-unix-dev mailing list
to post comments)