Jeff Abrahamson on 28 Feb 2007 15:48:48 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: ssh and trust (Was: Re: [PLUG] Putty and firewall piercing)


On Wed, Feb 28, 2007 at 10:33:45AM -0500, bergman@merctech.com wrote:
> In Art's question, the local machine is owned by an employer. This
> is fairly common. Assuming that the local machine has not been
> compromised, is run securely, and that you "trust" the admins who
> are running the machine, there's still a risk in that the employer
> has a right to the data (ie., your ssh key) stored on that
> machine. However, _if_ the ssh key was created with a passphrase,
> that key is useless without the passphrase.

Note that you still have to trust root if you use an ssh-agent.  If
you don't trust root but an ssh-agent caches your pasphrase, root can
su to me and set the following environment variables like this:

    jeff@astra:~ $ env | grep SSH_
    SSH_AGENT_PID=10926
    SSH_AUTH_SOCK=/tmp/ssh-OnXBZ10839/agent.10839
    jeff@astra:~ $ 

and then I'm toast.


> The worst situation is that the ssh key has been created without a
> passphrase (or that the key was created on the untrusted machine,
> and the passphrase was sniffed when the key was created). In this
> situation, anyone with access to the key (and sniffed passphrase, if
> one was used) also has access to your remote server. Remember, the
> ssh key is protected with the standard filesystem ACLs.  How much do
> you trust the local admins (and how backup tapes are stored)?

Same if a key sniffer gets your passphrase later.  Again, you have to
trust root.


> In this case, the most secure method for using ssh from this host to
> connect to your remote machine is to use one-time passwords. The
> one-time password MUST be computed separately from the untrusted
> environment. This may mean using a PDA to generate the OTP or
> pre-generating a printed list of OTPs.

How do you have your machine demand OTP's?

-- 
 Jeff

 Jeff Abrahamson  <http://jeff.purple.com/>          +1 215/837-2287
 GPG fingerprint: 1A1A BA95 D082 A558 A276  63C6 16BF 8C4C 0D1D AE4B

Attachment: signature.asc
Description: Digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug