[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] Holy cow! Published in Slashdot!!

Isn't the whole asymetric key security paradigm predicated on keeping
the private key, ya know, private?  Lose that part and the jig is up.


On Wed, 2013-01-02 at 20:41 -0500, Scott Plante wrote:
> I think it might be hard, in my case anyway, to eliminate all the log
> files, /etc/hosts entries, .ssh/config entries, and other locations
> where good guesses on where to try hacked ssh keys. 
> 
> 
> By the way, to answer my own question, it appears that you only need
> the private key half to brute force a ssh key, and this project
> (possibly among others?) will do it. 
> http://www.leidecker.info/projects/phrasendrescher/index.shtml
> Therefore, there is no advantage to obfuscating your public keys or
> separating them from your private keys.
> 
> 
> Scott
> 
> ______________________________________________________________________
> From: "Wolf Halton" <wolf.halton at gmail.com>
> To: "Atlanta Linux Enthusiasts" <ale at ale.org>
> Sent: Monday, December 31, 2012 7:45:18 PM
> Subject: Re: [ale] Holy cow! Published in Slashdot!!
> 
> If you remove the human-readable user at server-example.com from the end
> of the keys in authorized_keys and maybe edit your history on the
> sending server, how will they know where to go, even if they are
> sitting at the console of your not-publicly-accessible workstation?
> 
> 
> I think authorized keys is the lesser evil.  I also shell in through a
> vpn tunnel to most of my servers, so unless they know my keyring
> password, they cannot access any machines anyway.
> 
> 
> 
> On Fri, Dec 28, 2012 at 11:37 AM, Scott Plante
> <splante at insightsys.com> wrote:
>         Presumably you're using ssh-agent & ssh-add, not just creating
>         keys without passphrases. Other than for some very limited
>         accounts designed for cron tasks, I can't see a good reason
>         for having ssh keys without a good passphrase. Then, even if
>         your box gets compromised the keys can't be used without the
>         passphrase (but you don't have to type it for each individual
>         ssh command either!) I used ssh for years before bothering to
>         learn how to set up ssh-agent/ssh-add. It's definitely made
>         life easier. Since you don't have to type it as often, you can
>         make a longer, more complex passphrase. I'd hate to type 16
>         characters for every ssh/scp I have to do!
>         
>         
>         Of course, once you have access to the public and private
>         keys, the passphrase could be brute forced without connecting
>         to the remote system, correct? In that sense, a passphrase is
>         less secure than a password you use to connect to a remote
>         system, as the remote system can detect incorrect guesses and
>         lock the account. Does it make sense to keep your public keys
>         separate from and not easily associated with your private
>         keys, just in case your box does need get hacked? Do you need
>         the public key to brute force the passphrase on a private key?
>         
>         
>         Congrats, Charles!
>         
>         
>         Scott
>         
>         
>         ______________________________________________________________
>         From: "James Sumners" <james.sumners at gmail.com>
>         To: "Atlanta Linux Enthusiasts" <ale at ale.org>
>         Sent: Thursday, December 27, 2012 2:27:27 PM
>         Subject: Re: [ale] Holy cow! Published in Slashdot!!
>         
>         
>         Hell with that. I create a new key for each system and add an
>         entry to my ~/.ssh/config to use it. Thus, I use a unique key
>         for each system and forget all about using a password to
>         connect. 
>         
>         On Thursday, December 27, 2012, Michael B. Trausch wrote:
>                 On 12/27/2012 09:18 AM, Charles Shapiro wrote:
>                 > A lifelong ambition is fulfilled... I make
>                 Slashdot's front page (
>                 >
>                 http://yro.slashdot.org/story/12/12/26/1459248/lax-ssh-key-management-a-big-problem
>                 > ) !!
>                 >
>                 > charlesTheLurker is me... I reckon it's time to
>                 update the ol' resume.
>                 
>                 Awesome!  :-)
>                 
>                 Some of the comments on that article from people that
>                 claim to be in the
>                 field are a bit disturbing, though...
>                 
>                 Brings up an interesting point.  Moving away from
>                 passwords to cached
>                 private keys is something that most people _do_ see as
>                 lesser security,
>                 despite the fact that when properly managed it
>                 provides far better
>                 security.  I wonder how it is we're supposed to combat
>                 that problem.
>                 Education doesn't work; a lot of people's eyes glaze
>                 over if you try to
>                 explain to them how it provides superior security.
>                 
>                         --- Mike
>                 
>                 _______________________________________________
>                 Ale mailing list
>                 Ale at ale.org
>                 http://mail.ale.org/mailman/listinfo/ale
>                 See JOBS, ANNOUNCE and SCHOOLS lists at
>                 http://mail.ale.org/mailman/listinfo
>         
>         
>         -- 
>         James Sumners
>         http://james.roomfullofmirrors.com/
>         
>         "All governments suffer a recurring problem: Power attracts
>         pathological personalities. It is not that power corrupts but
>         that it is magnetic to the corruptible. Such people have a
>         tendency to become drunk on violence, a condition to which
>         they are quickly addicted."
>         
>         Missionaria Protectiva, Text QIV (decto)
>         CH:D 59
>         
>         _______________________________________________
>         Ale mailing list
>         Ale at ale.org
>         http://mail.ale.org/mailman/listinfo/ale
>         See JOBS, ANNOUNCE and SCHOOLS lists at
>         http://mail.ale.org/mailman/listinfo
>         
>         
>         
>         
>         _______________________________________________
>         Ale mailing list
>         Ale at ale.org
>         http://mail.ale.org/mailman/listinfo/ale
>         See JOBS, ANNOUNCE and SCHOOLS lists at
>         http://mail.ale.org/mailman/listinfo
>         
> 
> 
> 
> -- 
> Wolf Halton
> This Apt Has Super Cow Powers - http://sourcefreedom.com
> Open-Source Software in Libraries - http://FOSS4Lib.org
> Advancing Libraries Together - http://LYRASIS.org
> Apache Open Office Developer wolfhalton at apache.org
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> 
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://mail.ale.org/pipermail/ale/attachments/20130102/abad46c5/attachment.sig>