Passing password in ssh

Thu Jan 24 01:07:18 UTC 2008

Aldo Foot wrote:
> 2008/1/22 Mikkel L. Ellertson <mikkel at infinity-ltd.com>:
> 
>> Aldo Foot wrote:
>>> Well, the scenario I described actually happened years ago to someone I
>>> knew.
>>> If I create keys without a passphrase, and share the public keys between
>>> two systems (A and B), then from system A I can log to system B by
>>> simply saying "ssh user at B". This is very convenient for cron jobs.
>>>
>>> This is particularly risky when the systems are accessed by the general
>>> public.
>>> How does someone finds out the username? I don't know... company
>> phonebook,
>>> online profiles listing first/lastname, etc.
>>>
>> You do know that you first have to get the private key of the key
>> pair, right? So you have to crack user at A's account, at least to the
>> point of getting the private key. Remember, the key will not work
>> unless it is only readable by the user. The .ssh directory also
>> needs to be set this way. So just being able to log into machine A
>> is not enough. You also need access to the private key.
>>
> 
> You are correct. My worst nightmare does not include stealing the private
> key. But simply cracking into a user's account who has access to several
> systems containing the keys.
> 
> Worst scenario is when someone brakes into a system gains root access
> and does "su - user" to such account and by looking into the .shosts tries
> his luck to other systems.
> 
> 
>> But even having a pass phrase does not help if someone uses dumb
>> passwords. Things like first name as user name, and last name as
>> password. Then they use their full name as the pass phrase on the
>> key. Or is machine B lets you ssh in using username/password, and
>> you have a user like this. The key is to use the tools responsibly.
> 
> 
> Bingo!  There lies my problem.
> 
> Perhaps a good practice is to configure accounts such as those for
> cron jobs to use only specific commands.
> Does anyone reading this thread uses such setup?
> I'll play with this a bit.

cron jobs are created either by your vendor (Fedora in this case), or by 
users with access to accounts on the system.

If you use decent passwords, exercise due care with invited content 
(email, www etc & especially software[1] you install/allow to be 
installed), secure your servers[2] I don't think you have a lot to do with.

If you're trying to protect high-value assets, best to hire an expert 
with the skills needed, it's pretty clear you don't have them.

[1] I'm very picky. Most stuff from the FOSS world I trust, it will 
quickly get a bad name if it contains malware. I mostly avoid Acrobat & 
flash (the latter's main use seems to be adware, and there are serious 
security concerns), and absolutely shun toys such google desktop etc.

[2] I run ssh, and I allow five connexions/hour globally (not per source 
IP) from parts of the world I don't expect connexions from, it covers me 
for the case I've been too strict. I don't think anyone's going to 
succeed with even a weak password without a fair bit of lock. I don't 
think my password's weak.

-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)