[Triumf-linux-managers] of SSH passwords and attacks

Andrew Daviel advax@triumf.ca
Wed, 29 Mar 2006 16:08:38 -0800 (PST) 

Precis: Please disable root logins (using passwords) in SSH

During the last couple of years, TRIUMF (and doubtless everywhere else,
e.g. home PCs) has been the subject of SSH exhaustion attacks - guessing
passwords at random. They started off pretty slow - trying 4 accounts
such as "guest/guest" - but have got more aggressive.

I had initially thought such attacks futile, given the large password
space (>2e9 for a 6-character string) and the
limited rate of possible attempts compared to the "old days" when anyone
could read encrypted passwords from /etc/passwd.

That was before we got zapped a few times; most recently the root
password on ibm00 (qazwsxedc) was guessed, and another system was
configured as a paypal phishing server.

So, although we have a system to block connections from attacking
machines, we need to address this vulnerability. In particular,
root access over the net.

Some sites do things like block SSH entirely, move it to a non-standard
port, or disallow all root access. This would probably be too disruptive
for us.

However, it is strongly recommended that administrators disable password
login from offsite for root, and use public key login instead.

In /etc/ssh/sshd_config set
  PermitRootLogin without-password
and do "service sshd reload"

Then what? Root login will still work:
- from the console
- via "su"  (still vulnerable to keystroke logging in rootkits or on
  untrusted clients - home PC shared with teens etc.)
- using an SSH public key (easy to use once set up, with granular
  access control for multiple administrators)

See "man sshd_config",
http://andrew.triumf.ca/pssh/linux-ssh.html (Linux/Unix)
http://andrew.triumf.ca/keygen/ (Windows clients)

- it's probably a good idea to get SSH keys working before you disable
passwords, if working remotely ...

  ---

Bill Gates says "passwords don't cut it anymore" at the RSA conference
https://2006.rsaconference.com/us/conference/webcasts_listings.aspx
quoted in e.g.
http://www.huahintoday.net/index.php?action=show&type=news&id=721
(He also mentions the risks of working at elevated privilege just
because you need to install the odd program occasionally)

(an interesting, possibly humourous, comment from a cryptography
panellist in another webcast - "Write your passwords down. Your wallet is
more secure than your PC" )

-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
security@triumf.ca