Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Adam Williamson awilliam at redhat.com
Wed Oct 12 19:55:39 UTC 2011 

On Wed, 2011-10-12 at 21:45 +0200, Tomas Mraz wrote:

> That's a nonsense. Simply said. If I have a properly generated random
> ssh private key with a strong passphrase that I never put outside of my
> workstations and safe backup media then there is no other way it can be
> compromised than to compromise my workstation. 

Sadly, not everyone uses properly strong passphrases on their private
keys. Some people don't use passphrases at all, and short ones can be
brute forced.

Workstations can be compromised in such a way as to compromise only a
subset of private keys, too.

So, let's say I use the key ADAM to access my personal systems, and the
key FEDORA to access Fedora systems.

When you first ssh into a remote system when you're using GNOME, GNOME
will prompt you for the key's passphrase, and there's a little drop down
labelled 'Details' which gives you some choices about when to re-lock
the key. By default it keeps the key open until you log out from GNOME,
but _you can change this_.

Let's say I leave that setting on default for key ADAM, but change it to
'lock after 1 minute' for key FEDORA.

Now I go out and leave my laptop lying on the coffee shop table for two
minutes while I buy a coffee. Some dastardly person swipes said laptop.

They high tail it off to their secure location, and quickly disable the
screen lock. Now they have access to my running session, and they can
ssh into my personal systems with impunity, because key ADAM is unlocked
until they log out. It's more than one minute since I last used key
FEDORA, though, so if they try and ssh into fedorapeople.org they'll
find that key is locked, and they can't screw around with Fedora.

(Okay, so in practice, because of the FAS email loophole, they can just
reset my FAS password, log in, and change the ssh key. But the point
stands in theory: you can have stricter policies for some ssh keys than
others, and hence some can be compromised without all being
compromised.)
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

More information about the devel mailing list