Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Tomas Mraz tmraz at redhat.com
Wed Oct 12 19:45:24 UTC 2011 

On Wed, 2011-10-12 at 12:20 -0700, Adam Williamson wrote: 
> On Wed, 2011-10-12 at 21:07 +0200, Henrik Nordström wrote:
> > ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
> > 
> > > Lots of people use and share keys across different projects.
> > 
> > There is no security issue in sharing kes across different projects,
> 
> Sure there is. There's the exact same problem as using the same password
> across multiple projects: if someone compromises the key they have
> compromised all of those projects. If you use a different key for each
> project, an attacker can only compromise one project with any given key.
> Sure, ssh keys are much harder to compromise than passwords, but
> _assuming a compromise has happened_ the consequences of using a single
> key for everything are just as bad as using a single password for
> everything.

That's a nonsense. Simply said. If I have a properly generated random
ssh private key with a strong passphrase that I never put outside of my
workstations and safe backup media then there is no other way it can be
compromised than to compromise my workstation. And in that scenario it
surely does not matter whether I use single key for all the various
projects or multiple keys each key for a single project. Of course if
the public key algorithm (RSA or DSA) is broken such that the private
key can be derived from the public one or from the signatures then it
might make a slight difference. But that is currently not possible for
keys >= 1536 or so bits even with large computing power. And if there
was an easy way to break the public key algorithms many more things
would be broken than just a single compromised SSH key.

This is completely different from the password scenario where the
storage and transport model of the password from the user to the server
is extremely variable and might be quite insecure in some cases.

The much better security of the SSH public keys is actually not coming
from the fact, that they are "larger" and "random" but from the fact
that they are misused much harder than the passwords. And Fedora account
policy should reflect that and not blindly request changing SSH keys
from people who keep them safe.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

More information about the devel mailing list