[Gllug] ssh brute force attacks
Jose Luis Martinez
jjllmmss at googlemail.com
Wed Dec 10 17:18:13 UTC 2008
2008/12/10 Joel Bernstein <joel at fysh.org>:
> 2008/12/10 Jose Luis Martinez <jjllmmss at googlemail.com>:
>> 2008/12/10 Robert McKay <robert at mckay.com>:
>> <snip>
>>>
>>> If you were still running an ssh-agent with the keys loaded it is
>>> possible to extract (the unencrypted versions of) them by attaching a
>>> debugger to the process (requires root access because it disables
>>> non-root ptrace'ing).
>>
>> Some places don't install ssh-agent for this reason.
>
> Some places probably also make their developers whistle down the
> phoneline because computers are inherently insecure. On the whole I
> prefer working at companies with a sensible attitude to keeping out of
> my way and letting me write some code.
>
> Obviously there are different metrics and requirements for different
> usecases and environments but I hesitate at the idea that you're going
> to withhold access to tools which make my life easier because a
> root-compromised machine could be used to steal passphrases. If the
> machine is compromised to that degree, you already lost the game.
>
> My $0.02 anyway.
>
Horses for courses, in some places that is completely over the top, in
some others it is par of the course, many people that can earn more
money or do some stuff that is interesting for them are willing to put
up with these restrictions.
What you are saying is a bit strange: by being so over the top
security wise you are not losing the game, you are acknowledging you
have to tighten your security because the data you are handling merits
it.
Would I do the above in a primary school? Most likely not. In an oil
company? It depends. In a bank? You bet.
> /joel
> --
> Gllug mailing list - Gllug at gllug.org.uk
> http://lists.gllug.org.uk/mailman/listinfo/gllug
>
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list