[Gllug] Selective SSH logins

Nix nix at esperi.org.uk
Wed Aug 27 23:09:02 UTC 2008 

On 27 Aug 2008, John Winters spake thusly:

> Nix wrote:
>> Yeah, I don't allow random strangers with root into my house.
>
> There I think you've put your finger on the nub - those who say that
> crypto keys don't add any security are missing the point that it depends
> on what your configuration and requirement is.

Yes.

> If you're running a general system to which a lot of people have access
> (via ssh) then it's true to say that your general security is only going
> to be as good as the practices of your most lax user - whether that user

You'll probably also have to pay attention to things like /tmp races,
symlink attacks, and that sort of thing. On most Unix boxes these days
these are only theoretical holes, because all the users are trusted at
least not to attack each other (if not, say, to maintain the system, so
they may not have root, but they probably aren't willing to go to
extreme lengths to *get* root either).

> authenticates with a password or a key.  If said user keeps his password
> in a file or taped to his monitor

One friend of mine kept one of his passwords taped to the windscreen of
his car. (i.e. he used one of the strings of random digits on his tax
disc as a password!)

The string was otherwise essentially random, and nobody ever imagined
that they could try to read things off his windscreen and try them as
his passwords :)

> Consider however the case of a remote headless server (colo or virtual)
> to which you want access for yourself but not for anyone else.  There
> the object of the exercise is to ensure that said box is *as secure* as
> the local box from which you're connecting, despite it being out in the
> big bad cloud.  In this case the forbidding of password log on does add
> significantly to your security.

Yep. Personally I cast an eye over graphs of network traffic volume x
protocol every so often, so would spot such attacks, but not everyone
does that: a lot of these boxes run very quietly, with security updates
and little other attention for years. (Perhaps there's value in a
historical-usage-based IDS which learns about usual traffic flows and
moans if flows deviate significantly? Probably someone wrote this years
ago and I just never learned about it...)

>                                  A system which allows password logon
> can potentially be brute-forced - and you need run a visible box with
> ssh on port 22 for only a short while to discover that there are indeed
> lots of instances of malware out there trying to do exactly that.  The

It's going up. I see dozens of runs a day on my random anonymous static
IP address, sometimes from single systems, sometimes from dozens working
in cooperation over the same dictionary (obviously part of a botnet).

> use of crypto keys in this case significantly increases your security.
> (And before anyone starts putting up straw men, I'm *not* advocating
> crypto keys as a substitute for anything else - as always you should use
> all the measures which you can.)

Yep. I've just disabled all logins on my systems here which use
passphraseless keys (with the exception of some internal-only ones which
don't cross trust boundaries and are used by daemons and scripts). Most
importantly, any keys which exist outside my local net are passphrased
now, so one of those systems being compromised doesn't necessarily
compromise me. (I wish there was a way to force people to authenticate
using an agent as well.)

-- 
`Not even vi uses vi key bindings for its command line.' --- PdS
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list