Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for December 5, 2013
Deadline scheduling: coming soon?
LWN.net Weekly Edition for November 27, 2013
ACPI for ARM?
LWN.net Weekly Edition for November 21, 2013
SSH: passwords or keys?
Posted Jan 18, 2010 22:07 UTC (Mon) by mmcgrath (guest, #44906)
I use an agent. Ever had to get a drive replaced? Ever had your boss ask you what was on that drive?
Posted Jan 18, 2010 23:23 UTC (Mon) by nix (subscriber, #2304)
Posted Jan 18, 2010 23:57 UTC (Mon) by mmcgrath (guest, #44906)
heh, the thing you're now missing is an unencrypted ssh key. Be it stolen, copied, or just not disposed of properly (like the case of an old drive). An unencrypted ssh key is much more useful for causing damage then an encrypted one. So what if you have to unlock it on reboot.
Posted Jan 19, 2010 7:19 UTC (Tue) by hppnq (guest, #14462)
Even if there is time and money and you have stored your passphrase in the Pentagon vault, the security problem is not solved by simply rebooting and typing in the passphrase. There is the risk of someone sniffing the passphrase or being able to hijack the session or otherwise fool ssh-agent.
Your example is a rather contrived one in that it highlights only a small part of the problem and solution space. The problem of protecting a running ssh-agent is remarkably similar to protecting an unencrypted key. And I would definitely worry if someone got their hands on my encrypted key also, by the way.
Posted Jan 19, 2010 14:05 UTC (Tue) by mmcgrath (guest, #44906)
All of my servers are in a data center. When they reboot, I (or another admin) log in and start the agent. Surely you thought this through and realized that?
Posted Jan 20, 2010 9:40 UTC (Wed) by hppnq (guest, #14462)
Posted Jan 20, 2010 19:59 UTC (Wed) by nix (subscriber, #2304)
Posted Jan 20, 2010 20:03 UTC (Wed) by mmcgrath (guest, #44906)
Posted Jan 20, 2010 21:32 UTC (Wed) by nix (subscriber, #2304)
Posted Jan 21, 2010 15:04 UTC (Thu) by nye (guest, #51576)
In general, yes. *Strictly*, no.
Here is an example of when I have used a non-passphrased key. It may seem contrived now, but it was in real use at the time:
Back in ye days of dial-up, I had one machine with a modem in it, connected to the phone line. Dial-on-demand was not an option, as the line was also used for voice, so we needed more control about when to connect, so that left the problem of how to initiate (and terminate) a connection from any other machine. The simplest solution was to use a passphraseless SSH key, permitted to perform both of those tasks and nothing else. None of the users (read: my family) used SSH for anything else, so using an agent would be indistinguishable from not having one.
So, what's the extent of the possible damage?
If somebody had broken into the house and stolen one of the computers with the key on, then they would have gained the ability to connect to the internet the next time they broke in, without having to bring their own modem or subvert the machine plugged in to the phone line. I wouldn't consider that a particularly pressing concern given that *there's somebody in my house dismantling my computers*.
I suppose the most obvious counter-argument is that this is a task which could easily have been done using something other than SSH, but it was still the simplest solution.
Posted Jan 22, 2010 15:27 UTC (Fri) by nix (subscriber, #2304)
(Also, keys stored in a location where the key can't be stolen, e.g. in a
Mars rover, are probably safe nonpassphrased. :) )
Posted Jan 19, 2010 14:40 UTC (Tue) by mmcgrath (guest, #44906)
Posted Jan 19, 2010 9:36 UTC (Tue) by nix (subscriber, #2304)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds