It used to be that forcing SSH keys was enough to thwart most intrusions from getting your creds. Unfortunately now most of the root-kits know how to steal a passphrase just as easily as a password. If it's not a root kit, it's a completely trojaned ssh and sshd installed on the machine. Either work.
It's also the case that passphrase-less keys are one of the first things some hackers go after when they do get access to a users files or root to all users files. We've seen these kinds of attacks in the past. One of the things many people miss when setting up a authorized_keys file is that you can limit where a key is useful and what command it's allowed to run. If you need to automate transfering a copy of a specific file from one host to another, you could create a key to do that and nothing else. Passwords are more of an all or nothing deal. Another issue where keys can win is that IF you have sudo on a machine, is it set to use your login password? If a hacker snarfs your key, chances he probably didn't get your password. Granted you shouldn't have your sudo password the same as your login password, but it's the default... Its' not uncommon to see the first thing the intruder attempt to do when getting onto a new machine is a sudo. Why attempt to find a hole when you already have the keys to the kingdom? It all comes down to risk management. In many cases people don't understand the current risks of passwords or ssh keys. Esp now when put into the bigger picture. People tend to forget about sudo access using the same password. Also of note is that some of the hacker databases are getting rather large in stolen creds. I've seen where one had enough knowledge that ju...@site1, jo...@site2, and user...@site3 were the same person. When he needed to change passwords, this user just did a 3 way rotate of the sites. The hacker tried these passwords at each site just in case and succeded in getting on. Ouch. There are risks and benefits to both solutions. OTP is another thing to put in the mix. It solves some, but again not all of the problems. --Gene _______________________________________________ Discuss mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
