[Watford] SSH Questions

Yvan Seth watford.lug.org.uk at malignity.net
Tue Sep 16 21:19:50 UTC 2008 

On Tue, Sep 16, 2008 at 09:54:04PM +0100, Magnus Kelly wrote:
> [Magnus] Interesting - I had always thought that the pass phrase was
> part of the two way communication, if I understand you the password is
> never seen on the wire in any form. Got it.

Correct, the passphrase has nothing at all to do with the actual SSH
connection.  

> Then is it not possible to control which account the ssh key opens and
> then force the user to su post login to a password protected account
> that does not allow direct login - hence without the key you can't try
> and login to the correct account that has the rights to perform the
> legit remote process.

This is kind of a "two factor" authentication.  The key (something they
have) gets them only so far, then the password (something they know)
gets them full access.

I've set up systems somewhat like this before.  The setup had a machine
in a DMZ which users could ssh to using keys.  Once in that system they
had to ssh to another machine with a password.

This sort of thing can be somewhat weak if not well thought out however.
If a 3rd party gets a user's key then they can log in to the
intermediate system and replace the users 'ssh' with something that
captures their password.  If this goes unnoticed then you're done.
Hardening the intermediate machine is a fairly decent solution - in our
case users' shells were set to a program that immediately asked for the
password and didn't give them general shell access.

I've always thought that SSH servers should have a mode that made having
*both* a key and a login password mandatory (maybe this exists now, it
is a long time since I've been a sysadmin.)

> On a related note - can the expensive commercial number generator
> systems that produce a dynamic password be created from only open
> source if coupled with a custom usb type dongle?

Yes, things like RSA securid can integrate with Linux/Unix password
authentication, and thus also SSH (via password (PAM) logins.)  There
are probably plenty of other ways to do it, I've not the experience.

This is a better two-factor authentication.  The problem with my DMZ
scenario is that if a user's machine is compromised (pretty common these
days) you're screwed no matter what you do.  Things like RSA secure-id
improve things by requiring input from an external device.  A home-brew
solution is to have your server SMS them a random number and integrate
this into the login process.  This at least means that an attacker
cannot log in to your system at will (but they can still hijack sessions
from the user compromised machine.)

Unfortunately the fact is that, no matter what you do, if you let users
log in from external systems (their home PCs for example) your security
is no better than their home PC security.  If your operation is a likely
target for espionage then you've got problems.

Wow, too long!  Time to put the computer to sleep.

*waves* to hacker looking over his virtual shoulder
-Yvan

More information about the Watford mailing list