User: Password:
|
|
Subscribe / Log in / New account

SSH: passwords or keys?

SSH: passwords or keys?

Posted Jan 14, 2010 17:17 UTC (Thu) by drag (subscriber, #31333)
In reply to: SSH: passwords or keys? by paulj
Parent article: SSH: passwords or keys?

To me keys are just bad news all around for any organization.

Kerberos all the way. That is really the only way to do it and it's sad
that it's still a PITA to get something that should be dead simple
nowadays.

There is a reason why the OpenSSH folks refuse to implement PKI, which is
really what you want to do if your into key management. There are just lots
of problems to a approach like that. Kerberos is just much better.

If you want to do things securely without kerberos then a option is to do a
combination of passwords with a one time password. There are numerous
little doo-dads you can do that as well as programs you can install on a
cell phone or other java-enabled device.

Now it sucks because a lot of people use ssh keys for automation. I think
that there has to be a better way.


(Log in to post comments)

SSH: passwords or keys?

Posted Jan 14, 2010 17:25 UTC (Thu) by mmcgrath (guest, #44906) [Link]

So my kerberos knowledge is admittedly limited but we've had that talk a couple of times as well. Here's the concerns (the first is kind of unique)

1) No one works with the Fedora Project as their only job. Which means it's likely some people will have to register with two kerberos environments in order to do their day job and work on Fedora. My understanding is that's fairly complex and not all of our contributors are very technical.

2) If someone has my password and ssh key, doesn't kerberos not do anything to protect at that point? That's why we're thinking hardware key, but some of our admins are very opposed to it.

/me invites anyone interested to join the fedora-infrastructure-list and discuss this. It's a topic we take pretty seriously.

SSH: passwords or keys?

Posted Jan 14, 2010 18:08 UTC (Thu) by drag (subscriber, #31333) [Link]

I've never done multiple domains on a kerberos system, but it should not be terribly difficult as long as the users are comfortable using the kerberos tools. You just can't use to as part of the automated login process. There is nothing stopping you after you login to add more credentials manually though using the command line.

2) If someone has my password and ssh key, doesn't kerberos not do anything to protect at that point? That's why we're thinking hardware key, but some of our admins are very opposed to it.

Yes. Your screwed. But if you think about it the only way that happens normally is if the attacker has violated your user's desktop, right? So your going to be screwed pretty much no matter what. If the machine your coming in on is rooted then your f-ed pretty much no matter what.

The weakest link is always going to be the user's password. You can make the system and the desktop as secure as possible, but the number one security problem nowadays stem generally from users.

If your worried about weak passwords then use PAM in combination with a one-time pad/password. The pad can be generated by hardware, which is probably the thing your looking at, or manually entered in combination with a java applet on a phone or key dongle or something like that. That way you get your 2-factor authentication.. the password generated by the user and the password generated by one-time-pad-thingy. There are a few projects like that.

But that is a pretty easy way to piss off your end users. Being fairly nazi about password policies, implementing kerberos, and disabling shared key support is probably the best/safest bet for a organization. There is not really much you can do to get around this human-based weakest link.

For a small number of machines and if you got a small group (say 3-4, probably less then 10) then ssh keys make sense.

Also there are other things you can do. For example on my machines for a while I stored a 'key' on a USB drive and used that. There are PAM modules that will look for that key and allow me to log in or not in addition to me having the correct password, but that requires physical access to the machine, so it is very hateful.

If anything other then keys are just unacceptable then there are third party patches to that will actually add PKI support to OpenSSH, but there is good reasons why the OpenBSD folks are refusing to accept them into the normal OpenSSH source code distribution. I'd probably take some time to understand those reasons before deploying a PKI OpenSSH solution.

All of this is just my opinion, of course. And only really is relevant in the broad sense, even if I am not wrong. Don't take it as gospel no matter what you do!! Each Org is different with different requirements and different needs!

SSH: passwords or keys?

Posted Jan 14, 2010 22:15 UTC (Thu) by paulj (subscriber, #341) [Link]

Hi,

Do you mean:

a) 1 user accessing services authenticated via 2 separate Kerberos systems?

or

b) Kerberos systems co-operating, such that 1 system will accept user
credentials issued by the other?

The former is really easy. The user can authenticate with multiple kerberos
realms quite easily, just by specifying different ticket caches when using kinit
(I open a new session and set KRB5CCNAME).

The latter is cross-realm authentication and requires joint-administrative
fiddling to setup.

I think you mean the former, which is not a problem at all.

SSH: passwords or keys?

Posted Jan 14, 2010 22:26 UTC (Thu) by mmcgrath (guest, #44906) [Link]

> a) 1 user accessing services authenticated via 2 separate Kerberos systems?

Yeah I mean that. We have kerberos at $DAYJOB. The real concern isn't so much that someone technical (myself) could get it working. But more to make sure that people less technical (say, an art designer in their first year of college) could access both locations without confusion.

Some contributors get confused just generating ssh key pairs.

SSH: passwords or keys?

Posted Jan 14, 2010 22:53 UTC (Thu) by foom (subscriber, #14868) [Link]

> The former is really easy. The user can authenticate with multiple kerberos
> realms quite easily, just by specifying different ticket caches when using kinit
> (I open a new session and set KRB5CCNAME).

You call that *easy*??

However, IIRC from last I used kerberos, you can actually kinit to multiple realms just fine without
setting random environment variables.

SSH: passwords or keys?

Posted Jan 15, 2010 12:27 UTC (Fri) by paulj (subscriber, #341) [Link]

It's not random, it's documented in the kinit manual page.

You need an environment variable really, otherwise every krb5-or-GSS using
client you run needs to have an explicit option (argument, conf file, and/or in the
UI) to specify the ticket cache.

It's not as transparent as using having SSH keys though, unfortunately.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds