[kwlug-disc] Curious about SSH Key security
liberosec at yahoo.ca
Tue Jul 27 12:14:14 EDT 2010
John's comments are excellent. I'll just add a couple of ideas.
There are three types of authenticating a person:
- With "something you know", like a password
- With "something you have", like a key or card
- With "something you are", like any biometric (fingerprint etc) or a photo ID in "real-life"
A two-factor authentication is when you need two of the above to authenticate (like at the ABM with card + PIN) and they are way more secure that using one method alone.
SSH keys with passwords or a certificate is also two-factor authentication.
The only downside of the (SSH) keys is to manage them. For many users accessing a server managing their keys can take up time but if it's just my server (or just me and a couple other people) SSH keys are the way to go.
I'm also a big fan of port-knocking, you just need 4 iptables rules or so: http://bliki.rimuhosting.com/space/knowledgebase/Security/Port+Knocking (note that in this code you don't need the rule for port 31599) and the service is not even open most of the time.
--- On Mon, 7/26/10, John Van Ostrand <john at netdirect.ca> wrote:
> From: John Van Ostrand <john at netdirect.ca>
> Subject: Re: [kwlug-disc] Curious about SSH Key security
> To: "KWLUG discussion" <kwlug-disc at kwlug.org>
> Received: Monday, July 26, 2010, 12:02 PM
> ----- Original Message -----
> > --- On Sat, 7/24/10, John Van Ostrand <john at netdirect.ca>
> > > > Security traditionally should depend.
> > >
> > > Not traditionally, but optimality it should.
> > That's what I meant: In my mind "should" was
> translated to optimally.
> > i.e. That's what should be even if it's not what it
> > > Keep /etc/secure permissions locked down and set
> up sudo on
> > > the remote server to only allow running the
> > > script. You could even investigate the use of
> > > shell for the backup user to further prevent
> > OK, so I am still under the same original impression.
> there are ways
> > to secure it in the workstations but if it's not done
> then they are
> > still a weak link.
> > So, people should know that using keys in an on itself
> is not more
> > security. It is only more secure and convenient when
> they are properly
> > secured.
> > Is that last statement correct/
> I think your statement is generally true but it needs to be
> put in the proper context. The context of the thread that I
> presume spawned this thread was about brute force attacks.
> The use of keys "exclusively" over passwords for SSH *is*
> more secure. For that to be true one has to disable password
> authentication. The next step is securing the private key,
> which is important to prevent casual snoopers from
> discovering the key.
> So in better terms: "The use of keys exclusively over
> passwords for SSH and taking proper steps to protecting the
> private key file is a very secure way of using SSH."
> Keys are essentially more complex passwords which guard
> well against brute force password guessing attacks. The
> downside of complexity is that they cannot be remembered and
> so must be stored electronically for practical use.
> Electronic storage invites the possibility of a hacker
> discovering the key without your knowledge. So unless the
> stored version of the key isn't itself protected, it opens
> the possibility to easy discovery. If the key is protected
> by a weak password then it may also be susceptible.
> When comparing keys to passwords keep in mind the other
> flaws in passwords. Not only can they be easily guessable,
> but some people write them down, don't change them for years
> and can sometimes be easily convinced to give them up to
> strangers (phishing, social engineering). Passwords can be
> made more secure by enforcing policy, to promote complexity
> and limit reuse, but I've always found these to cause people
> to write down passwords more often. How many passwords are
> weakly stored in your Firefox or keychain?
> Also keep in mind that if a hacker has control of your
> workstation then there is little (s)he can't do to overcome
> just about any conventional security.
> John Van Ostrand
> CTO, co-CEO
> Net Direct Inc.
> 564 Weber St. N. Unit 12, Waterloo, ON N2L 5C6
> Ph: 866-883-1172 x5102
> Fx: 519-883-8533
> Linux Solutions / IBM Hardware
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
More information about the kwlug-disc_kwlug.org