Forgot your password?
typodupeerror
Privacy Security Your Rights Online

Lax SSH Key Management A "Big Problem" 212

Posted by Unknown Lamer
from the we're-all-doomed dept.
cstacy writes "Tatu Yionen, inventor of SSH, says he feels 'a moral responsibility' to come out of retirement and warn that a 'little-noticed problem' could jeopardize the security of much of the world's confidential data. He is referring to the management (or lack thereof) of SSH keys (i.e. 'authorized_keys') files. He suggests that most organizations simply allow the SSH key files to be created, copied, accumulated, and abandoned, all over their network, making easy pickings for intruders to gain access. Do you think this is a widespread problem? How does your company manage SSH keys?" cstacy's summary here is accurate, but as charlesTheLurker notes, the article is a bit over the top: "The Washington Times claims that there's a huge vulnerability in ssh. It turns out that some reporter there has discovered that you can do passwordless login with the software, and has spun this into a story of a dangerous vulnerability. Sigh."
This discussion has been archived. No new comments can be posted.

Lax SSH Key Management A "Big Problem"

Comments Filter:
  • by vlm (69642) on Wednesday December 26, 2012 @12:45PM (#42395427)

    So rather than scare people about poor key management, let's scare people about bad passwords -- which is nearly all passwords.

    Hey slashdot does anyone have an implementation where the sshd config would look something like:

    PubkeyAuthentication yes
    PasswordAuthentication no any/any
    PasswordAuthentication yes 10.0.0.0/8

    And no, last time I checked openssh could not do that. Either yes or no, no src address filtering.

    The closest I could come up with is running two SSH servers on different port numbers and filter at the network level which src addrs can talk to which port.

  • by Maow (620678) on Wednesday December 26, 2012 @02:50PM (#42396719) Journal

    (years ago) I used to get blasted at home from China IP addrs trying various root passwords. Flooding my logs with failures. Since then I only allow key auth from the untrustable internet. I'd never allow password auth over the internet. Copying a key is not a big deal. Or logging into another machine that I know has a key, etc.

    On the LAN, if some clown gets infected and port scanning / password scanning, I can literally walk over and physically take care of it.

    This may not be of use to you anymore, but I'll toss it out there: fail2ban.

    I use it to ban IPs attempting ssh-as-root on first attempt, ssh login password failures on 3rd attempt. Uses iptables to block the malicious addresses. Works like a charm.

    Also has "jails" for Apache-based log failures, such as attempts to access PHPMyAdmin (what ever it's called), which is worthwhile to run just for that, and a host of others.

Nothing is more admirable than the fortitude with which millionaires tolerate the disadvantages of their wealth. -- Nero Wolfe

Working...