On Tue, Feb 02, 2010 at 09:06:09PM -0500, Edward Ned Harvey spake thusly: > Why is it so common to jump to the conclusion that keys-only-ssh is > more secure than passwords?
Because then you can't get in even if you have the password (but nothing else)? > I somewhat or sometimes disagree with this. When you use ssh keys, > it's a virtual certainty that the keys are stored on the client's > disk ... Yep. > and a lot of users will not protect the key itself with a password > or encryption. I love ssh key auth but yes, this is a huge problem. I have been in shops where key auth was prohibited because they could never be sure if a user ever put a password on the key. And due to the way encryption works you cannot tell if the key is just entropy or encrypted entropy. > I think if you don't protect your key with a password, it's easier > to compromise a system by stealing someone's keys than it is to > brute force a password, even though the password is a smaller number > of bits. Then you have to know that the key is unprotected, where the key reside, and compromise that machine. But you are probably right, easier than guessing a good password. > The proper way to do it (Plan A) is to use keys only, but ensure your keys > are themselves protected by password. Ensure how? I think making it clear that creating an unencrypted key is a firing offense is good enough but others disagree and insist on technical measures. I do a lot of PCI security work these days. I have a good book on PCI security (I don't recall the name at the moment and don't have it on hand) which explicitly says that encrypted ssh keys (key plus password) counts as two factor authentication for the purposes of PCI. But brings us to the classic question: It may check the box saying "must have two factor auth" but is it really secure enough? > Point is: At the server, yes you have the ability to enforce a password > complexity requirement. No, you don't have the ability to enforce a > keys-must-be-encrypted-on-the-client-laptop policy. Yep. -- Tracy Reed http://tracyreed.org
pgpAyu25EHjed.pgp
Description: PGP signature
_______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
