lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <45C9F72A.4070000@p6drad-teel.net>
Date: Wed, 07 Feb 2007 17:58:34 +0200
From: Siim Põder <windo@...rad-teel.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: (Psexec on *NIX)

Yo!

Stan Bubrouski wrote:
> On 2/2/07, Tyop? <tyoptyop@...il.com> wrote:
>> key-based login without passphrase is like eating cheese without
>> bred. useless (IMHO).
>>
> 
> Totally, if someone compromises the machine and gets root they get all
> your keys and without a passphrase... yeah no good.

If someone comprimises the machine and gets root your keys are very
likely to be compromised any way. Root can easilly trojan your or
ssh/ssh-agent and retrieve the keys.

Same goes for passwords (although they have to be picked one at a time).


Realistically, it is a pain to have all different passwords for all the
different boxes. You can remember maybe something like 25 or so
passwords if they are complex (if you do better then i'm happy for you)
so you could propably use that if you are managing that kind of number
of different boxes (or sets of similar boxes, if you use the same
password in some cases).

Also, with passwords you have to type them in when you log in to other
machines, so it's possible to lose the password if any host in the chain
is compromised - which is not the case for key auth and agent forwarding.

For key auth and agent forwarding, the issue is that your keys could be
used (not read) while your agent is forwarded.


Now, I presume that I can keep my computer from being compromised. If i
can't do that, I am fucked anyway. I keep the keys in my computer.

Next, I create two sets of private keys, one that I use for user
accounts "gateway hosts" (to get to the machines not directly
accessible) that I ssh-add to my ssh-agent and allow anyone to use.

The second key is used for accounts that I can get root with and I add
them with ssh-add -c so that I would be alerted every time their usage
is requested (SSH_ASKPASS). I forward the agent only to those gateway hosts.

The alert box pops up on my screen with default "Confirm" button
selected so I have to do an extra enter keypress for each logon. You
could require some sort of easy password be typed to the confirmation
box, so that some clever hacker couldn't monitor a remote session of
yours and make his login attempt exacly when you are about to press
enter anyway.


I think it's pretty solid and also comfortable, what do you think?

Siim Põder

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ