[Triumf-linux-managers] FYI, SSH dictionary attacks ramping up
Andrew Daviel
advax at triumf.ca
Tue Dec 8 17:44:52 PST 2009
On Tue, 8 Dec 2009, Konstantin Olchanski wrote:
> If I permit root logins with ssh keys, root's security
> becomes an honor system because there is no way to enforce
> or even check that root's autorized_keys are passworded (never
> mind checking that they have strong passwords).
>
> If users use non-passworded ssh keys to get into root,
> root security is reduced to the security of the user account (read: none).
I believe CERN follow that principle.
I happen to disagree.
SSH passphrases are more resistant to rootkitted sshd and keyloggers than
passwords (possibly because the filter is set up to look for
"password: ", but also because an attacker needs to steal the private
key, too). Anything totally reliant on a human typing characters on a
keyboard is at risk to keyloggers - not so uncommon in Windows malware -
or other surveillance such as cameras or audio analysis.
The SSH key scheme can support multiple keys per account, together with
source address filtering. This allows root access to be audited to a
particular individual, rather than just one of a number of people who
might know the password, and also to be limited to certain trusted
machines or domains. This makes it, IMO, much more secure than a
password.
I don't deny that setting up a trust relationship between a weakly
protected machine and a strongly protected machine is dangerous, and
should be discouraged (passwordless login from a laptop from any network,
and then having it stolen). But so is using a password that seems strong but
is known to hackers, like "m4r1b0r0"
(passwordless keys used for e.g. backup should be locked down e.g.
command="/usr/bin/blah",from="foo.triumf.ca",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ...
so that they won't work from the wrong host and won't allow shell login)
Disabling root SSH login entirely (keys, too) and forcing users to login
as themselves then use "su" would get the audit benefit, though still
exposing some risk to keyloggers.
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
More information about the Triumf-linux-managers
mailing list