| |||||||||||||
SSH: passwords or keys?SSH: passwords or keys?Posted Jan 19, 2010 7:19 UTC (Tue) by hppnq (guest, #14462)In reply to: SSH: passwords or keys? by mmcgrath Parent article: SSH: passwords or keys? In the real world (a datacenter, for instance) systems can't be rebooted because of ssh-agent, with obvious security and maintenance consequences. There has to be a procedure that contains the passphrase in clear text, for obvious reasons. Even if there is time and money and you have stored your passphrase in the Pentagon vault, the security problem is not solved by simply rebooting and typing in the passphrase. There is the risk of someone sniffing the passphrase or being able to hijack the session or otherwise fool ssh-agent. Your example is a rather contrived one in that it highlights only a small part of the problem and solution space. The problem of protecting a running ssh-agent is remarkably similar to protecting an unencrypted key. And I would definitely worry if someone got their hands on my encrypted key also, by the way.
(Log in to post comments)
SSH: passwords or keys? Posted Jan 19, 2010 14:05 UTC (Tue) by mmcgrath (subscriber, #44906) [Link]
> In the real world (a datacenter, for instance) systems can't be rebooted because of ssh-agent, with obvious security and maintenance consequences. There has to be a procedure that contains the passphrase in clear text, for obvious reasons.
All of my servers are in a data center. When they reboot, I (or another admin) log in and start the agent. Surely you thought this through and realized that?
SSH: passwords or keys? Posted Jan 20, 2010 9:40 UTC (Wed) by hppnq (guest, #14462) [Link] Sorry if it was not clear, but the whole point of my comment was of course that logging in to type a passphrase is not an option, for several given reasons. I wanted to point out that -- contrary to what you suggested -- running ssh-agents is not making things more secure by default. Especially if you worry -- as you seem to be doing -- about the kind of incidents that involve unauthorized access to systems and disks.
SSH: passwords or keys? Posted Jan 20, 2010 19:59 UTC (Wed) by nix (subscriber, #2304) [Link]
Of course, for use by humans, an agent and a passphrased key is strictly
better than a nonpassphrased key. (But that wasn't the case you were discussing.)
SSH: passwords or keys? Posted Jan 20, 2010 20:03 UTC (Wed) by mmcgrath (subscriber, #44906) [Link]
Sorry but I don't lax my security for bots that run commands unattended. If you're running raid1 and someone comes and takes a drive. You can pretend all you want that your private ssh key is safe. Me? I know it is.
SSH: passwords or keys? Posted Jan 20, 2010 21:32 UTC (Wed) by nix (subscriber, #2304) [Link]
Again, it is not always possible to have humans bash things in to all
systems that run unattended and have to connect to other systems. For that subset, nonpassphrased keys are reasonable. (For the application I'm thinking of, if they steal the drive we silently fail over, and, ooh, the attackers would be able to run a backup without our knowledge! How terrible! Of course, if they've stolen the drive, they're going to be on the wrong side of a firewall anyway. This isn't *my* private SSH key: this is a key created specifically to allow a single backup daemon to stream backups to the backup server. That's all.)
SSH: passwords or keys? Posted Jan 21, 2010 15:04 UTC (Thu) by nye (guest, #51576) [Link]
>Of course, for use by humans, an agent and a passphrased key is strictly better than a nonpassphrased key.
In general, yes. *Strictly*, no.
Here is an example of when I have used a non-passphrased key. It may seem contrived now, but it was in real use at the time:
Back in ye days of dial-up, I had one machine with a modem in it, connected to the phone line. Dial-on-demand was not an option, as the line was also used for voice, so we needed more control about when to connect, so that left the problem of how to initiate (and terminate) a connection from any other machine. The simplest solution was to use a passphraseless SSH key, permitted to perform both of those tasks and nothing else. None of the users (read: my family) used SSH for anything else, so using an agent would be indistinguishable from not having one.
So, what's the extent of the possible damage?
If somebody had broken into the house and stolen one of the computers with the key on, then they would have gained the ability to connect to the internet the next time they broke in, without having to bring their own modem or subvert the machine plugged in to the phone line. I wouldn't consider that a particularly pressing concern given that *there's somebody in my house dismantling my computers*.
I suppose the most obvious counter-argument is that this is a task which could easily have been done using something other than SSH, but it was still the simplest solution.
SSH: passwords or keys? Posted Jan 22, 2010 15:27 UTC (Fri) by nix (subscriber, #2304) [Link]
True. Perhaps a better way of saying it is that keys which allow the
carrying out of functions which you do not want a random thief to be able to carry out, or keys which allow anything (J. Random Normal SSH Identity) should be passphrased. The rest don't need to be, because nothing bad will happen if random people get the ability to do whatever that key allows.
(Also, keys stored in a location where the key can't be stolen, e.g. in a
SSH: passwords or keys? Posted Jan 19, 2010 14:40 UTC (Tue) by mmcgrath (subscriber, #44906) [Link]
Just as a side note to this, are you also not using encrypted filesystems at any of your remote locations?
|
|||||||||||||