FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 09-17-2008, 07:59 AM
Alan McKinnon
 
Default Enforcing passphrase protected ssh keys

Hi all,

I think I'm barking up an impossible tree, but it's worth asking.

Scenario:

I have an sshd-enabled jump box catering for 100+ users. They all use ssh keys
and we ask them all nicely to passphrase-protect the private key and pretend
that we enforce this. Keys are in use because the admin load of coping with
passwords isn't worth the effort. Fortunately, I have a security officer who
is properly clued up and very willing to listen to reason.

My question:

Is there any known way, no matter how convulted and bizarre, of checking and
enforcing from the server end that a private key is passphrase protected? Our
own research indicates no. One possible way is to audit the user's client
machine, but we don't have that level of access (and don't want it either)


--
alan dot mckinnon at gmail dot com
 
Old 09-17-2008, 11:16 AM
Jil Larner
 
Default Enforcing passphrase protected ssh keys

Hello,

You cannot. The reason for this is simple : you can copy as many times
as you wish it your private key in any place. Even if you were able to
check-up that a private key is passphrase-protected, it wouldn't mean
every single copy of that key is protected so. And the interest of the
private key is that only the owners possesses it and hides it; thus you
shouldn't think about a mensual submission of the keyfile to
automatically check it is protected, because it would open a serious
security hole.

I see the problem you face because some time ago, I used
passphrase-protected keys on my usb stick and ones stored on windows,
but I assumed my linux system was secure enough not to need any more
password once logged in. Opinon I revised with time

If you generates the keypair for these users, you can protect them with
a complex password, so that lazy users may keep it and learn it (or
write it down...). Fortunately (from my point of view), you do not have
any single point of control on your users' private keyfile. Keeping
their credentials safe is of their responsibilities. Your security
officer probably knows that 80-90% of the security is about educating
people. To sensibilise them is you most efficient measure of control.

Any way I might think about checking the protection of a private key
seems to be a violation of privacy to me, regardless of the technology.
The one step you may act is when generating the key pair. What if you
generate it and transfer it to the user in a secure way, after they
filled a form with the password setting for the key ? This way, as they
chosed the password, they'd remember it and don't need to change it or
remove it, unless they really want to. Against that last case, there's
nothing you can do.

Good luck,
Jil.

Alan McKinnon a écrit :

Hi all,

I think I'm barking up an impossible tree, but it's worth asking.

Scenario:

I have an sshd-enabled jump box catering for 100+ users. They all use ssh keys
and we ask them all nicely to passphrase-protect the private key and pretend
that we enforce this. Keys are in use because the admin load of coping with
passwords isn't worth the effort. Fortunately, I have a security officer who
is properly clued up and very willing to listen to reason.


My question:

Is there any known way, no matter how convulted and bizarre, of checking and
enforcing from the server end that a private key is passphrase protected? Our
own research indicates no. One possible way is to audit the user's client
machine, but we don't have that level of access (and don't want it either)
 
Old 09-17-2008, 12:21 PM
Alan McKinnon
 
Default Enforcing passphrase protected ssh keys

On Wednesday 17 September 2008 13:16:57 Jil Larner wrote:
> Hello,
>
> You cannot. The reason for this is simple : you can copy as many times
> as you wish it your private key in any place. Even if you were able to
> check-up that a private key is passphrase-protected, it wouldn't mean
> every single copy of that key is protected so. And the interest of the
> private key is that only the owners possesses it and hides it; thus you
> shouldn't think about a mensual submission of the keyfile to
> automatically check it is protected, because it would open a serious
> security hole.

Agreed. The hole I would like to close (or make smaller) is that the key is
the main security between the user's desktop machine and the core routers on
my network. We originally switched to ssh keys because users will gladly
share passwords with each other without regard for consequences, and the
administration of this is a nightmare.

Keys make for better security, but I would like it to be even better. I also
want to have my facts 100% straight - if I tell my boss "it can't be done" I
like to show research to back it up. There's nothing worse than saying
something can't be done, and someone else in the room immediately says how it
can be done ... :-)



--
alan dot mckinnon at gmail dot com
 
Old 09-17-2008, 12:26 PM
Robert Bridge
 
Default Enforcing passphrase protected ssh keys

On Wed, 17 Sep 2008 14:21:41 +0200
Alan McKinnon <alan.mckinnon@gmail.com> wrote:

> On Wednesday 17 September 2008 13:16:57 Jil Larner wrote:
> > Hello,
> >
> > You cannot. The reason for this is simple : you can copy as many
> > times as you wish it your private key in any place. Even if you
> > were able to check-up that a private key is passphrase-protected,
> > it wouldn't mean every single copy of that key is protected so. And
> > the interest of the private key is that only the owners possesses
> > it and hides it; thus you shouldn't think about a mensual
> > submission of the keyfile to automatically check it is protected,
> > because it would open a serious security hole.
>
> Agreed. The hole I would like to close (or make smaller) is that the
> key is the main security between the user's desktop machine and the
> core routers on my network. We originally switched to ssh keys
> because users will gladly share passwords with each other without
> regard for consequences, and the administration of this is a
> nightmare.
>
> Keys make for better security, but I would like it to be even better.
> I also want to have my facts 100% straight - if I tell my boss "it
> can't be done" I like to show research to back it up. There's nothing
> worse than saying something can't be done, and someone else in the
> room immediately says how it can be done ... :-)

You could use keys AND passwords for the SSH. It should be trivial to
set PAM up for it...
 
Old 09-17-2008, 12:33 PM
Dirk Heinrichs
 
Default Enforcing passphrase protected ssh keys

Am Mittwoch 17 September 2008 14:26:50 schrieb ext Robert Bridge:

> You could use keys AND passwords for the SSH. It should be trivial to
> set PAM up for it...

And even kerberos auth.

Bye...

Dirk
--
Dirk Heinrichs | Tel: +49 (0)162 234 3408
Configuration Manager | Fax: +49 (0)211 47068 111
Capgemini Deutschland | Mail: dirk.heinrichs@capgemini.com
Wanheimerstraße 68 | Web: http://www.capgemini.com
D-40468 Düsseldorf | ICQ#: 110037733
GPG Public Key C2E467BB | Keyserver: wwwkeys.pgp.net
 
Old 09-17-2008, 01:04 PM
Alan McKinnon
 
Default Enforcing passphrase protected ssh keys

On Wednesday 17 September 2008 14:26:50 Robert Bridge wrote:
> > Keys make for better security, but I would like it to be even better.
> > I also want to have my facts 100% straight - if I tell my boss "it
> > can't be done" I like to show research to back it up. There's nothing
> > worse than saying something can't be done, and someone else in the
> > room immediately says how it can be done ... :-)
>
> You could use keys AND passwords for the SSH. It should be trivial to
> set PAM up for it...

I had thought of that, but I'm shying away from it - the admin load of
supporting that many user passwords is crippling. The users forget their
passwords or share them and write them on stciky notes...

--
alan dot mckinnon at gmail dot com
 
Old 09-17-2008, 01:11 PM
Heiko Wundram
 
Default Enforcing passphrase protected ssh keys

Am Wednesday 17 September 2008 15:04:19 schrieb Alan McKinnon:
> I had thought of that, but I'm shying away from it - the admin load of
> supporting that many user passwords is crippling. The users forget their
> passwords or share them and write them on stciky notes...

What about one-time-passwords? In addition to a user-supplied SSH-key (whether
encrypted or not)? There's J2ME-software (i.e., installable on pretty much
any "normal" mobile phone) to compute OTPs for users, so you don't even need
additional hardware such as RSA-Tokens, and there's no (noticeable)
administration-overhead.

Some intro on this which I just found on google which uses opie:

http://www.heise-online.co.uk/security/One-time-passwords-for-home-users--/features/88570

--
Heiko Wundram
 

Thread Tools




All times are GMT. The time now is 03:58 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org