[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: security question

From: Noel Yap
Subject: RE: security question
Date: Mon, 16 Dec 2002 17:34:01 -0800 (PST)

--- "Zieg, Mark" <address@hidden> wrote:
> > Password-protected keys help protect them against
> > theft.  I would encourage everyone to use such
> keys. 
> > Or did I misunderstand your post?
> Are you talking about ssh-agent, or passphrase-based
> ssh keys, or an
> external layer of encryption on the keyfiles, or
> what?  Please be specific.

I previously posted saying that SSH keys should be
password-protected and that if they were, one can run
ssh-agent so that one needn't type in the password
each time, or type in the password for each use.

> ssh-agent, for instance, would be a bit more secure,
> as long as you're
> sitting down at the console of one SSH-equipped
> workstation, and don't mind
> taking a minute to systematically startup ssh-agent
> connections to each host
> with which you plan to communicate during that
> session.

In the past, I had set up my system to start up
ssh-agent upon first login.  It wasn't such a big

> My biggest problem with any of these approaches,
> besides the inconvenience,
> is they eliminate the opportunity for secure,
> automated batch processes.

I don't see how.  So long as there's an
already-running ssh-agent, a batch process can use it.
 True, if the machine were rebooted, there'd be no
automated way to recover, but hey, that's the price
for more security.

>  I
> have various cron jobs that fire off automatically,
> connect to different
> servers, do reports/extracts/whatever, and so on. 
> For that, AFAIK, you need
> to store your keys in the filesystem.

AFAIK, the keys need to be stored on the filesystem in
any SSH setup.  If you meant that the keys can't be
password-protected, like I said, just have ssh-agent
running in the background (then have your cron job
'ps' to get the ssh-agent PID).

> Correct me if I'm wrong, but as long as your private
> key is chmod 600, the
> only way it will be compromised is if your local
> workstation gets rooted.

Maybe.  One question I've had in the past is whether
keys should be backed up or not.  If they are, there's
now at least one copy of them.  I believe this
increases the chances (even minutely) of them falling
into the wrong hands.

In the end, if you haven't done a complete security
audit of the entire backup procedures, you can't trust
them to be secure.

> If that happens, ssh-agent itself can be quickly
> trojaned with a compromised
> copy that collects passwords.

This is one reason why I'd like trusted OS's (eg no
one user, including root, is all-powerful) to take off
faster but that's another topic.

>  Likewise, if you're
> just using
> passphrase-encrypted keys, ssh and cvs themselves
> are both compromised on a
> rooted what's the difference?  Or am I
> missing something?

If you're assuming that the only compromise possible
for keys is a root compromise then you are correct. 
How sure are you that that's the only compromise?

> Thanks...this is more interesting than listening in
> on pserver discussions
> :-)

I agree :-)


Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]