LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Press page

Recent Features

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Secure Cooking with Linux, Part 1 (O'ReillyNet)

[Posted June 20, 2003 by ris]

This O'ReillyNet article presents selected recipes from Linux Security Cookbook. "Public-key authentication lets you prove your identity to a remote host using a cryptographic key instead of a login password. SSH keys are more secure than passwords because keys are never transmitted over the network, whereas passwords are (albeit encrypted). Also, keys are stored encrypted, so if someone steals yours, it's useless without the passphrase for decrypting it. A stolen password, on the other hand, is immediately usable."
(Log in to post comments)

Secure Cooking with Linux, Part 1 (O'ReillyNet)

Posted Jun 21, 2003 2:13 UTC (Sat) by macemoneta (guest, #2717) [Link]

Unfortunately, most people that use key exchange do so for automated processes, and usually set no passphrase on the key. As a result, access to the host (like a stolen laptop) provides access to the system. A password in this case would be better, because it stays with the owner, not the equipment. It's important to evaluate the environment to determine the most secure and practical SSH authentication mechanism to use.

Secure Cooking with Linux, Part 1 (O'ReillyNet)

Posted Jun 21, 2003 6:37 UTC (Sat) by rknop (guest, #66) [Link]

On the other hand, if somebody is using an SSH key pair for automated script automation, then the alternative is that the password is directly encoded in the script. No more or less secure. As such, there's no advantage to using a password there.

What's more, it's *possible* to do automated script retreival, so long as you use an ssh agent and make sure that the person who starts the script also authorizes the agent using a key's passphrase. Then the script and the machines with the key are still as secure as that key's passphrase.

Personally, I use SSH public keys for logging in frequently. The use of ssh-agent makes this very convenient. Of course, if a laptop in suspend mode with an agent running gets stolen, my keys are all compromised. Similarly, if I walk away from my desk with an agent running (something I have to admit to frequently doing), anybody can get into not only my account on that machien but any machine I've authorized my keys on.

Still, more convenient than passwords, and I like that better than just using a .shosts file.

-Rob

Secure Cooking with Linux, Part 1 (O'ReillyNet)

Posted Jun 30, 2003 22:37 UTC (Mon) by daenzer (subscriber, #7050) [Link]

I always lock the display when walking away (it gets locked automatically after a couple of minutes should I forget) or putting the machine to sleep.

Secure Cooking with Linux, Part 1 (O'ReillyNet)

Posted Jun 21, 2003 9:33 UTC (Sat) by nicku (subscriber, #777) [Link]

I rely on the agent and keychain a great deal; mostly for convenient interactive access, but also for automating stuff from cron.  I use long passphrases, and with keychain, it is easy to log out of the system while the automated stuff continues to work.  The main problem once was when I was in Australia, my machine was in Hong Kong, and it was rebooted due to the power being cut off for power testing.  I had no access to it, since it was behind a firewall, and had to get physical access to the machine two weeks later to enter the passphrase again.  But yes, I love ssh and the convenience and relative security of public key authentication.

I have one problem; with gnome and Red Hat 8, 9, I get the "your login session lasted less than 10 seconds" error message while the gnome-ssh-askpass prompt appears.  Does anyone know how to solve this problem?  It has surfaced on a number of machines, particularly those that I upgraded rather than did a fresh install.  I'd love to understand why this happens and how to solve it.

Secure Cooking with Linux, Part 1 (O'ReillyNet)

Posted Jun 23, 2003 19:02 UTC (Mon) by edgewood (subscriber, #1123) [Link]

I use a key with a passphrase for interactive use, then create other keys with no passphrase for automated processes. That way I can lock down the privileges of the automation keys on the remote system, giving each one the exact privileges that they require do to the job, and nothing more.

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds