tightening ssh

Jiann-Ming Su sujiannming at gmail.com
Mon Nov 21 23:47:48 UTC 2005 

On 11/21/05, Wolfgang S. Rupprecht
<wolfgang+gnus200511 at dailyplanet.dontspam.wsrcc.com> wrote:
>
> The password on the key only protects the private-key from being
> casually read by someone with access to the computer.  The
> private-key-exchange that ssh puts on the wire (eg. on the 'net) has
> already had the password stripped from it.  All that is used is the
> raw 1024-bit key.
>
> As an aside, the password on the file really only prevents a casual
> observer from learning the private-key.  An attacker that has managed
> to grab the password-protected private-key file (by having broken into
> the system that has the private key file) can attack the password by
> dictionary and guessing attacks.  This password protection is no
> stronger than would have been had had we used the same password as a
> unix-type password login.  In fact, since they have the file on their
> own computer(s) they can subject it to much faster, more intensive
> guessing attacks.
>

I guess my point is it's another step.  Without the public key, they
just brute force dictionary guess.  With public key, they have to
obtain the private key.  Hopefully, this is hard.  But, I see your
point.  If getting to the private key is easy, then the password
protecting is just for show.

> My feeling is that you can't ever really be sure that a private-key
> file hasn't been compromised.  It is best to generate a fresh
> private-key public key pair every once in a while.  (say 3-12 mos.)
> One can even keep the same password protecting the file, the important
> thing is that the underlying 1024-bit key is changed.
>

Hmm... that sounds like a good idea.

>
> What I did here for a while was run what amounts to a simple shell
> script that grabbed the IP's of the attacking machines and stuffed
> them into an IP-level filter against all traffic from that machine.
> This still allowed the attacker to have 5-10 seconds of fun, but life
> got really boring for them after that.
>

That sounds like what the "recent" module in iptables does.

--
Jiann-Ming Su
"I have to decide between two equally frightening options.
 If I wanted to do that, I'd vote." --Duckman
"The system's broke, Hank.  The election baby has peed in
the bath water.  You got to throw 'em both out."  --Dale Gribble

More information about the users mailing list