|From:||Mark Janssen <maniac.nl-AT-gmail.com>|
|To:||Davi Diaz <davi-AT-leals.com>|
|Subject:||Re: OpenSSH daemon security bug?|
|Date:||Tue, 5 Jan 2010 16:21:34 +0100|
On Tue, Jan 5, 2010 at 4:01 PM, Davi Diaz <email@example.com> wrote: > A co-worker argues we can login using only password to a "ssh-key restricted > host (PasswordAuthentication no)", without being asked by any passphase; just > by putting a key (no need to be the private key) on another password-based > host. > > It that true? I do not think so. Â I would name that as an "important OpenSSH > daemon security bug". That is because I think it is not true. You can only login using keys if the public key is included in the 'authorized_keys' file on the server. The ssh client will read the private key (passphrased or not, ask for a passphrase if needed (or read from an agent)). The server has no way of knowing if the key had a passphrase (was encrypted), as it never sees the private key. The private key is only used for authentication/encryption on the client-side. > co-worker wrote: >> You cannot distinguish passphrased keys from passphraseless ones. True (server never sees the key, only the result of computations on the decrypted key) > I think the OpenSSH daemon will take care to ask for a key passphrase before > using a key to open an encrypted channel. False, the client handles keys > A ssh key which requires a ssh passphrase to be usable can not be used to open > a ssh connection if such ssh passphrase is not provided, as it is part of the > encryption algorithm. False > I know we can create ssh keys without passphrases (useful for unattended > backups, scripts and so on). Â However our users will be told not to do that, > of course, as they are told not to create weak passwords. > > > co-worker wrote: >> I am all for encouraging key-based logins, but I think disabling >> password logins completely actually reduces security. I must agree here, while keys are better then passwords, it's impossible to enforce passphrase quality on keys, while it is possible to enforce some quality on passwords. -- Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x357D2178 | ,''`. | Unix / Linux Open-Source and Internet Consultant @ Snow.nl | : :' : | Maniac.nl MarkJanssen.nl NerdNet.nl Unix.nl | `. `' | Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet | `- | _______________________________________________ openssh-unix-dev mailing list firstname.lastname@example.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds