The disadvantage of ssh keys was made clear to us recently when a
machine in a different University was root compromised. The attackers
stole all the ssh keys they could find, and briefly obtained access to
my systems via the account of a former student.
Should you allow ssh key access from machines you have no control
over?
Something to ponder,
Rhys
On Thu, 2 Oct 2008, Robert E. Blair wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Another alternative is to turn off password authentication and allow
only public key. This way the brute forcers can guess all they want and
never get lucky. If you need a "card" you can always put your encrypted
private key / public key pair on a thumb drive which is a very low cost
option that fits on your keychain. I believe this approach is
reasonably platform independent (but I don't us windows so I do not
speak with authority on this).
Cheers,
Bob Blair
Brett Viren wrote:
Faye Gibbins <[EMAIL PROTECTED]> writes:
Dr Andrew C Aitchison wrote:
ssh-agent means that although the ssh keys aren't stored on disk
they *are* held in memory much of the time. Given that many laptops
are suspended and rarely rebooted, do you have a way of ensuring
that the machine regularly reconfirms the user's identity ?
Kerberosized ssh.
Another, somewhat arcane, option is to use OpenPGP smart cards along
with GnuPG's gpg-agent. The keys remain on the card and the card does
the PGP authentication. Take the card out of the reader and no
subsequent authentication can be done.
I've evaluated this method and it does work but requires some amount
of effort to set up. As far as I know there is only one supplier[1].
I also don't expect it to work on non-Linux platforms. But, besides
all these negatives, it is a nice solution that also gives the user
the usual benefits of PGP.
-Brett.
[1] http://www.g10code.com/p-card.html
- --
Robert E. Blair, Room E277, Building 362
Argonne National Laboratory (High Energy Physics Division)
9700 South Cass Avenue, Argonne, IL 60439, USA
Phone: (630)-252-7545 FAX: (630)-252-5782
GnuPG Public Key: http://www.hep.anl.gov/reb/key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFI5NenOMIGC6x7/XQRAr+zAJ9mWyN9D06N49OiQEdwT1A1NMhA0ACgumk9
odDk4dw+dAWr0Q88RTmTGF4=
=1PEQ
-----END PGP SIGNATURE-----
