[Gllug] ssh brute force attacks

[Robert McKay]

On Wed, Dec 10, 2008 at 3:01 PM, Joel Bernstein <joel at fysh.org> wrote:
> 2008/12/10 Lesley Binks <lesleyb at pgcroft.net>:
>> Okay ... what's the situation with a nicked/lost laptop carrying such
>> keys?  Supposing they can crack the laptop passwords or gain access to
>> disk info someother way - how secure is key based authentication then?
>> I just feel it's bolted the doors in one place but left them wide open in
>> another.
>
> Er.. So once they crack the BIOS password, login as your user, mount
> the encrypted homedir, and get into your ~/.ssh directory, they have
> your private key, which is passphrase protected. What would you
> suggest as being a better option?
>
> If you're not putting passphrases on the private keys then you have
> exactly the same problems as allowing insecure passwords, but nobody
> AFAIK has suggested that as a good option. If the keys are secured
> with passphrases then a local machine exploit shouldn't compromise
> them.
>
>> As far as I can see they've only one problem to solve - the laptop
>> password - as opposed to having yet another password to crack which is
>> largely dependent on their skill level.
>
> I don't know what that means. It sounds like complete nonsense. What
> about the passphrase on the SSH private key?

If you were still running an ssh-agent with the keys loaded it is
possible to extract (the unencrypted versions of) them by attaching a
debugger to the process (requires root access because it disables
non-root ptrace'ing).

Also with laptop suspend-to-disk, the unencrypted keys may well exist
on the HD somewhere. This actually sounds somewhat feasible to
exploit...

Rob.
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug