Re: Security of ssh across a LAN, public key versus password

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Jochen Bern wrote:

Subverting your workplace machine - the same account you log in as, or even a superuser - gives the attacker a lot of possibilities, essentially getting his hands on all data that passes through that computer, from keystrokes to (before-/after-encryption) network communication to the contents of your screen. If that's a scenario probable enough to make it a concern, and the consequences for the other hosts in your LAN important enough to consider, the question to answer is not "which auth protocol spoken *by the subverted machine* is a bit harder to catch as well" but "how do get I get the relevant secrets *off* that machine and into an *actually* secure location".

I will say that there have been a lot of cases of org having all of their machines accessible via SSH (with certs) from the Internet, only to have attackers roam freely through them after an admin laptop is compromised. You need soe other security mechanism that can't be copied and used from an unapproved system (this could be location/IP based, but people are too mobile for that nowdays, so using something off the machine is needed)

and given that people want to use mobile devices for access, relying on messages/apps on the mobile device is not that good.

David Lang
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux