On Sat, 18 Nov 2000, Charles Curley wrote:
> On Sat, Nov 18, 2000 at 02:08:00PM +1100, Jeff Turner wrote:
> > Hi,
> >
> > I have a policy question that's been generating fierce debate at our
> > company (a web design shop with relatively light security requirements)
> >
> > Is the ability for users to set up "auto-login" (dispensing with
> > passwords) bad? Let's say a user has set added their home machine's public
> > key to the server's ~/.ssh/authorized_keys. Let's further assume that they
> > did not type a passphrase when creating their private key.
> >
> > >From the sysadmin's point of view:
> >
> > Auto-login means that if any user's machine is compromised, the attacker
> > has an account on the server too! The ssh auto-login feature allows
> > users to create "webs of trust" completely outside the control of the
> > sysadmin. It removes the password barrier between systems, and allows
> > breakins to quickly propagate between systems. As such it is harmful and
> > wrong, and should be switched off by default.
> >
> > A counterargument:
> >
> > In a properly configured system, it shouldn't *matter* if a user has
> > malicious intentions, because they shouldn't be able to do harm anyway.
> > Regular users make mistakes. They write their passwords on sticky labels
> > on their monitor. Consequently one can *never* trust users not to harm the
> > system. Now, ssh auto-login is just another potential way for a user to
> > turn malicious, but to a properly configured system, a user's intentions
> > are irrelevant. Furthermore, disabling ssh auto-login gives a false sense
> > of security. At a *policy* level there is nothing wrong with auto-login.
>
> Well, I can tell that none of your gang has ever worked in a military
> contractor shop. The response there would be to make the users as harmelss
> and impotent as possible, and still require both the public key and
> password to log in.
So I gather the default ssh configuration is not acceptable in such
situations. However as it is the default, I assume in most situations
password-less login is acceptable.
>
> And woe betide any employee caught with a password on a postit note on
> his/her/its monitor. That is a potential criminal offense.
Never underestimate the stupidity of users ;) If I were in charge of a
super-secure military installation, I would follow this maxim:
"It is insufficient to protect ourselves with laws; we need to protect
ourselves with mathematics."
--Bruce Schneier, "Applied Cryptography"
Hence I wouldn't place ANY trust in users keeping passwords secret, even
if it was a criminal offence. Everything then rests on the security of the
system itself.
If you're with me so far, apply the logic in reverse: we cannot trust
users anyway, so we're indifferent to whether users set passphrase-less
keyfiles.
Pity the real world isn't that neat..
--Jeff
>
> --
>
> -- C^2
>
> No windows were crashed in the making of this email.
>
> Looking for fine software and/or web pages?
> http://w3.trib.com/~ccurley
>
