Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Henrik Nordström henrik at henriknordstrom.net
Wed Oct 12 19:38:25 UTC 2011


ons 2011-10-12 klockan 12:20 -0700 skrev Adam Williamson:

> Sure there is. There's the exact same problem as using the same password
> across multiple projects: if someone compromises the key they have
> compromised all of those projects. If you use a different key for each
> project, an attacker can only compromise one project with any given key.

To compromise  my SSH key they need to compromise the location where my
key is stored and the key encryption passprase. If they manage to do
that then any key I have stored there is at equal risk, or anything else
I have on my computers or any system I have accessed meanwhile.

Accessing a compromised system using an SSH key do not place the key as
such at risk. There only is a slight risk if you have agent forwarding
enabled that the key may be used (not copied or stolen) while you are
logged in and is why agent forwarding SHOULD be disabled by default (and
is by default).

Accessing a compromised system using a password immediately gives the
password away.

Regards
Henrik



More information about the devel mailing list