On Tue, Apr 15, 2008 at 8:12 AM, Peter Kjellstrom <cap@xxxxxxxxxx> wrote:
> On Tuesday 15 April 2008, Clint Dilks wrote:
> > 1. Currently all of the key pairs we are using have empty passphrases is
> > it worth the effort of changing this and setting up ssh-agent compared
> > to what you gain in security by doing this ?
>
> To get a clear idea of what keys with no passphrases are like consider the
> idea that users put their regular password in /home/$USER/my_passwd.txt
>
> We try our very best to stop any use of key-pairs without passphrase. All
> modern distros have ssh-agents. Using it is trivial, not using it is lazy.
> For extra security use "ssh-add -c" and you'll know when your agent is
> actually signing stuff.
>
> /Peter
>
This is a HUGE step backwards in security! Now when your system in
compromised, the attacker will be able to get into ALL of the systems
that user has used that password on. Face it, users often use the
same password everywhere. This is really a bad, bad idea.
With password-less SSH keys, at least they only gain access to the
systems with the corresponding key.
Using an ssh-agent is often not feasible for system-level functions
that need to SSH. Who's going to be there at 2AM to type in the
passphrase when the system reboots? If you script it, then you just
put the plaintext password in a script file again, and now have the
same problem.
Remember, the old way of doing this was with rsh and .rhosts files,
and those were a problem because DNS could more easily be compromised,
and the system tricked into letting you in. SSH keys are meant to get
around THAT problem. Otherwise, all the secret keyfiles are protected
using restrictive permissions, which is what you have to rely on for
this security.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
