[ale] Holy cow! Published in Slashdot!!

Tim Watts tim at cliftonfarm.org
Wed Jan 2 21:18:34 EST 2013


Isn't the whole asymetric key security paradigm predicated on keeping
the private key, ya know, private?  Lose that part and the jig is up.


On Wed, 2013-01-02 at 20:41 -0500, Scott Plante wrote:
> I think it might be hard, in my case anyway, to eliminate all the log
> files, /etc/hosts entries, .ssh/config entries, and other locations
> where good guesses on where to try hacked ssh keys. 
> 
> 
> By the way, to answer my own question, it appears that you only need
> the private key half to brute force a ssh key, and this project
> (possibly among others?) will do it. 
> http://www.leidecker.info/projects/phrasendrescher/index.shtml
> Therefore, there is no advantage to obfuscating your public keys or
> separating them from your private keys.
> 
> 
> Scott
> 
> ______________________________________________________________________
> From: "Wolf Halton" <wolf.halton at gmail.com>
> To: "Atlanta Linux Enthusiasts" <ale at ale.org>
> Sent: Monday, December 31, 2012 7:45:18 PM
> Subject: Re: [ale] Holy cow! Published in Slashdot!!
> 
> If you remove the human-readable user at server-example.com from the end
> of the keys in authorized_keys and maybe edit your history on the
> sending server, how will they know where to go, even if they are
> sitting at the console of your not-publicly-accessible workstation?
> 
> 
> I think authorized keys is the lesser evil.  I also shell in through a
> vpn tunnel to most of my servers, so unless they know my keyring
> password, they cannot access any machines anyway.
> 
> 
> 
> On Fri, Dec 28, 2012 at 11:37 AM, Scott Plante
> <splante at insightsys.com> wrote:
>         Presumably you're using ssh-agent & ssh-add, not just creating
>         keys without passphrases. Other than for some very limited
>         accounts designed for cron tasks, I can't see a good reason
>         for having ssh keys without a good passphrase. Then, even if
>         your box gets compromised the keys can't be used without the
>         passphrase (but you don't have to type it for each individual
>         ssh command either!) I used ssh for years before bothering to
>         learn how to set up ssh-agent/ssh-add. It's definitely made
>         life easier. Since you don't have to type it as often, you can
>         make a longer, more complex passphrase. I'd hate to type 16
>         characters for every ssh/scp I have to do!
>         
>         
>         Of course, once you have access to the public and private
>         keys, the passphrase could be brute forced without connecting
>         to the remote system, correct? In that sense, a passphrase is
>         less secure than a password you use to connect to a remote
>         system, as the remote system can detect incorrect guesses and
>         lock the account. Does it make sense to keep your public keys
>         separate from and not easily associated with your private
>         keys, just in case your box does need get hacked? Do you need
>         the public key to brute force the passphrase on a private key?
>         
>         
>         Congrats, Charles!
>         
>         
>         Scott
>         
>         
>         ______________________________________________________________
>         From: "James Sumners" <james.sumners at gmail.com>
>         To: "Atlanta Linux Enthusiasts" <ale at ale.org>
>         Sent: Thursday, December 27, 2012 2:27:27 PM
>         Subject: Re: [ale] Holy cow! Published in Slashdot!!
>         
>         
>         Hell with that. I create a new key for each system and add an
>         entry to my ~/.ssh/config to use it. Thus, I use a unique key
>         for each system and forget all about using a password to
>         connect. 
>         
>         On Thursday, December 27, 2012, Michael B. Trausch wrote:
>                 On 12/27/2012 09:18 AM, Charles Shapiro wrote:
>                 > A lifelong ambition is fulfilled... I make
>                 Slashdot's front page (
>                 >
>                 http://yro.slashdot.org/story/12/12/26/1459248/lax-ssh-key-management-a-big-problem
>                 > ) !!
>                 >
>                 > charlesTheLurker is me... I reckon it's time to
>                 update the ol' resume.
>                 
>                 Awesome!  :-)
>                 
>                 Some of the comments on that article from people that
>                 claim to be in the
>                 field are a bit disturbing, though...
>                 
>                 Brings up an interesting point.  Moving away from
>                 passwords to cached
>                 private keys is something that most people _do_ see as
>                 lesser security,
>                 despite the fact that when properly managed it
>                 provides far better
>                 security.  I wonder how it is we're supposed to combat
>                 that problem.
>                 Education doesn't work; a lot of people's eyes glaze
>                 over if you try to
>                 explain to them how it provides superior security.
>                 
>                         --- Mike
>                 
>                 _______________________________________________
>                 Ale mailing list
>                 Ale at ale.org
>                 http://mail.ale.org/mailman/listinfo/ale
>                 See JOBS, ANNOUNCE and SCHOOLS lists at
>                 http://mail.ale.org/mailman/listinfo
>         
>         
>         -- 
>         James Sumners
>         http://james.roomfullofmirrors.com/
>         
>         "All governments suffer a recurring problem: Power attracts
>         pathological personalities. It is not that power corrupts but
>         that it is magnetic to the corruptible. Such people have a
>         tendency to become drunk on violence, a condition to which
>         they are quickly addicted."
>         
>         Missionaria Protectiva, Text QIV (decto)
>         CH:D 59
>         
>         _______________________________________________
>         Ale mailing list
>         Ale at ale.org
>         http://mail.ale.org/mailman/listinfo/ale
>         See JOBS, ANNOUNCE and SCHOOLS lists at
>         http://mail.ale.org/mailman/listinfo
>         
>         
>         
>         
>         _______________________________________________
>         Ale mailing list
>         Ale at ale.org
>         http://mail.ale.org/mailman/listinfo/ale
>         See JOBS, ANNOUNCE and SCHOOLS lists at
>         http://mail.ale.org/mailman/listinfo
>         
> 
> 
> 
> -- 
> Wolf Halton
> This Apt Has Super Cow Powers - http://sourcefreedom.com
> Open-Source Software in Libraries - http://FOSS4Lib.org
> Advancing Libraries Together - http://LYRASIS.org
> Apache Open Office Developer wolfhalton at apache.org
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> 
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://mail.ale.org/pipermail/ale/attachments/20130102/abad46c5/attachment.sig>


More information about the Ale mailing list