[Gllug] ssh brute force attacks
Joel Bernstein
joel at fysh.org
Wed Dec 10 15:01:43 UTC 2008
2008/12/10 Lesley Binks <lesleyb at pgcroft.net>:
> Okay ... what's the situation with a nicked/lost laptop carrying such
> keys? Supposing they can crack the laptop passwords or gain access to
> disk info someother way - how secure is key based authentication then?
> I just feel it's bolted the doors in one place but left them wide open in
> another.
Er.. So once they crack the BIOS password, login as your user, mount
the encrypted homedir, and get into your ~/.ssh directory, they have
your private key, which is passphrase protected. What would you
suggest as being a better option?
If you're not putting passphrases on the private keys then you have
exactly the same problems as allowing insecure passwords, but nobody
AFAIK has suggested that as a good option. If the keys are secured
with passphrases then a local machine exploit shouldn't compromise
them.
> As far as I can see they've only one problem to solve - the laptop
> password - as opposed to having yet another password to crack which is
> largely dependent on their skill level.
I don't know what that means. It sounds like complete nonsense. What
about the passphrase on the SSH private key?
> I've seen a lot of people say how fantastic it is but I remain to be
> convinced that keybased is the *only* way to go and is the most secure way
> of dealing with things in every situation.
Then you're wrong. I surmise you must not be aware that the keys can
(and should) be configured with passphrases.
HTH,
/joel
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list