LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

NLUUG/ELCE: Embedded devices and free software

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

ssh and security

ssh and security

Posted Dec 6, 2003 4:20 UTC (Sat) by dlang (subscriber, #313)
In reply to: ssh and security by giraffedata
Parent article: ssh and security

I am warning that the strength of the authentication that ssh provides is only as good as the security on the remote machine. if it's a strongly protected machine you can say with a fair amount of confidence that the ssh connection really is from the user that you say that it is, if the remote machine is something you have no idea what it's configuration is then you really don't know if the ssh connection comeing from it is really the person it says it is.

as a result the ssh user authentication is not good enough for the use that it is routinly put to.

I'm not saying that both sides of the authentication need to be seperate from ssh, but I am saying that the client side needs to be seperate so that a remote comprimise doesn't grant access.

there was a story a year or so ago about someone who was putting keystroke sniffers on the public access machines at kinkos. this would mean that anyone who used ssh from those machines becomes a direct threat to the servers that they log into.

for opensource project servers with hundreds or thousands of users can you really trust that there isn't SOMEONE in this group that uses ssh from a insecure machine? as soon as someone does then that account could become a stepping stone for an exploit like Debian suffered where a local exploit is essentially the same as a remote exploit.

You are right about the core being the need to move authentication out from the general purpose system, but there is the additional layer of trying to shock people out of their complacency and the growing mindset that ssh == secure

in addition there is a slight hope that if enough people find the argument reasonable that openssh can pickup a modification that will allow this to take place easily ;-)

(Log in to post comments)

PDAs and ssh and security

Posted Dec 11, 2003 23:02 UTC (Thu) by eli (subscriber, #11265) [Link]

As an admittedly partial step in the direction you describe in your letter, you might
consider that many developers have PDAs that could be used in the
challenge-response process. Have a key on the pda and generate the response
from it (and maybe the time). (I'm envisioning the pda displaying it for the user to
enter.)

I store my passwords on my PDA (encrypted with a master password), so this would
be the next logical step. I'd feel a whole lot better with a setup like that for my home
PCs.

Thoughts?

PDAs and ssh and security

Posted Dec 12, 2003 22:47 UTC (Fri) by dlang (subscriber, #313) [Link]

a PDA does a good job of this and can replace a hardware token.

ASSUMING that the contents of the PDA are secured appropriatly.

for example if the application checks your password and then if it matches gives you access to a datafile someone else can get access to the data if you sync it to your desktop.

however if the data on the PDA is encrypted with no encryption key ever stored on the PDA then it's much better

for example if you need to store a 64 bit key on the PDA the best way I've seen is to ask the user for a PIN and then encrypt the key useing that PIN and store the result, when the user needs to access the key have them enter a PIN and use that to decrypt the key, the thing that makes this work is that the key is a random binary blob, an attacker has no way of knowing if it decrypted sucessfully or not, the only way to know is to attempt to use it to access another system. this means that even with a 4 digit PIN it will take an average of 500 login attempts to find that it's right, giveing you a chance to notice (to many bad login protection)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds