[ale] any suggestions on an automated method for blocking repeated failed ssh login attempts?

Michael H. Warfield mhw at WittsEnd.com
Tue Dec 28 11:03:11 EST 2010


On Tue, 2010-12-28 at 09:17 -0500, Geoffrey Myers wrote:
> Michael H. Warfield wrote:
> 
> > What you have just described, to me, screams "smart keys".  Putty,
> > Absolute telnet, et al ssh clients support these things and this is the
> > only really effective way to deal with this.  The keys are on a USB
> > smart-key (NOT a USB memory key or SSD) or a smart card w/ reader and
> > you don't need to worry about this.  They CANNOT screw it up.  They have
> > to enter a PIN and get it right.  No intruder, NO INTRUDER, can extract
> > that private key.  The gov has these keys now.  I forget the acronym but
> > it's something like UAC (Universal Access Control) or some such.  This
> > is a solved problem and ssh works with it very well.  I have keys on my
> > Aladden smart key for ssh access.  You would have to steal the key and
> > beat the PIN out of me (3 failures locks the key and requires a security
> > officer key to reactivate).

> This is some good stuff. :)  So, can you define 'usb smart key?'

That generally refers to a USB device that looks like a SmartCard and
USB SmartCard reader combo.  The Aladdin USB keys are one example.  The
OpenPGP USB keys mentioned in another thread are another example.
SmartCards, in general, are credit-card sized cards with a roundish set
of pads that are electrical contacts for the smart-chip.  A smaller
version (that's often a punch-out from the credit card size) is used for
the GSM phones.  These all need a specialized SmartCard reader to plug
into a computer.  They are not memory cards you can stick into a memory
card reader.  The USB style is a USB key that incorporates the reader
and the SmartCard chip into a USB key.

More specifically I'm referring to a crypto key with an onboard RSA /
AES crypto engine.  SmartCards can be memory cards (like a simple flash
key except you can require PINS and make certain cells read-only and
assign attributes and permissions), can be Java cards (actually contains
a Java interpreter and runs Java applets), or can be crypto cards, with
cryptographic hardware on them.  Some (but not all) crypto cards are
also Java cards and the crypto engine may itself be a Java process on
the card.

These cards (the crypto cards) will generally mention a PKCS11 interface
for the cryptographic functions.  The IronKey USB keys appear to be such
(they claim a PKCS11 interface for some models) but I can't confirm it
from their specs or how many keys are stored in the crypto engine on the
keys.  The way they phrase some of their features still leads me to have
some doubt or that the keystore is very VERY limited.

Crypto keys tend to be expensive with or without the memory key
functionality.

The keystore is separate from the memory store, if the crypto key
includes USB flash memory like the IronKey units.  They tend to be
expensive, even for the crypto-only keys.  The crypto keystore also
tends to be very limited in capacity, generally 32KB (yes, that K!) or
64KB even when the memory store is several GB.  So you only store the
private keys on them and you can generate crypto keys on the engine
itself that can never be read from the key, only used by the key.  It
then gives you the public key for the private key it holds.  This is
secure, but there's no way to back those keys up.  Some of us prefer to
generate the keys in a secure manner and then load one or more keys with
the private key and then destroy (or escrow) the private key in a very
secure manner.

Generally, you set the private keys to be crypto-engine-only (no read
but may be overwritten) so that only the RSA engine can access them to
perform the crypto operations.  To sign something or decrypt something,
you actually send the data block to the key and it returns the
verified/decrypted data.

Another example of a SmartCard like device that is present in many of
our laptops is the TPM (Trusted Processing Module) chip.  Under Linux,
this is managed by the Trousers package and utilities and includes a
PKCS11 interface.  You can store RSA keys for various things in the TPM
module using Trousers along with the Mozilla NSS subsystem.  Some people
don't like enabling the TPM module out of objection to it's original
stated purposes of enabling hardware DRM and system tracking but nobody
has deployed any TPM based hardware DRM to date and why waste a
perfectly good RSA crypto engine already present in your system?

> -- 
> Until later, Geoffrey
> 
> "I predict future happiness for America if they can prevent
> the government from wasting the labors of the people under
> the pretense of taking care of them."
> - Thomas Jefferson

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20101228/b7d569e8/attachment.bin 


More information about the Ale mailing list