On 10/19/2010 07:33 PM, Kacper Wysocki wrote:
I've read great posts so far, especially the one about Abusing OSSEC was a clincher.
Thanks, I appreciate the feedback.
Transferring the key in the clear really breaks the security of the system.
True.
Suppose instead that you distribute some command ssh client through Bigfix (such as rsync for windows) along with a pre-generated ssh key. Then you could extract the client.key from the server directly, then delete the ssh key in the Bigfix script immediately after copy so that it's not stored on every client. After mass deployment one could even revoke the ssh key on the server. Disclaimer: I haven't tried this (yet) but I'd be interested in hearing about how it makes out.
It's an interesting idea, and one I have thought about myself. You have solved the problem of clear-text transmission, but you still have what amounts to pretty standard authentication. Get a copy of one SSH key and you have read access to all OSSEC keys.
I thought about having a copy of the keys parsed by a PHP script and served up by an SSL-protected web page. The script could parse the correct key based on the source IP of the host, while the web server could require a client certificate for authentication. At least that way you would have machine-level authentication and encryption, and each machine would only get its own key. This, too, is not without risks, but I think it covers the main areas of concern.
-- Michael Starks [I] Immutable Security http://www.immutablesecurity.com
