Keep SSH Sessions Active, Or Reconnect?

borjonx writes "Is it safer to log out of an SSH session, and re-establish it later, or just keep the connection open? Like many of you, I use OpenSSH to connect to my Slackware Linux boxes remotely from Linux and WinXP (putty.exe) clients. At home and at work, I wonder if it would be safer to just leave the connection open (my clients are physically secured, the servers limit connections with hosts.allow). Is it more secure to re-establish the connection over an insecure link (big bad internet) where people can sniff that handshaking, or is it more secure to just remain connected? I connect 1 to 4 times per day, most days."

screen

[Singularity42]

Just use the program, "screen", if you want to resume your sessions.

Re:screen

[StudMuffin]

Just use the program screen if you want to get rooted, you mean. The ONLY time I have ever had a box rooted was when I left screen running.

Re:screen

[flydpnkrtn]

Just use the program, "screen", if you want to resume your sessions.

That's not what he's asking though... "Is it more secure to re-establish the connection over an insecure link (big bad internet) where people can sniff that handshaking, or is it more secure to just remain connected?"

With a tinfoil hat on, he's asking if it's OK for the OpenSSH handshake to be happening 1-4 times per day across the big bad interwebs (traffic that could potentially be sniffed). He's not asking how to maintain sessions even if ssh itself is disconnected (which is what screen gives you)

Re:screen

[MightyMartian]

I actually use screen a lot, particularly when I'm doing big compiles or other operations that are going to be going on for a while. Particularly when I'm working from home, I've been nailed by way too many spurious disconnects. Screen is an awesome little program. I use it when I'm coding in the shell, I can flip between screens a lot faster than I can through any GUI.

Re:screen

[flydpnkrtn]

Huh? So you're saying somehow screen keeps listening on a port and lets evil hackers connect to it, exploit it, and continue using your screen session?

Can you really be sure it's not just some other vulnerability that is letting someone in?

Re:screen

Just drive a blue car if you want it to catch on fire, you mean. The ONLY time I have ever had a car catch on fire it was blue.

Re:screen

[StudMuffin]

http://www.ubuntu.com/usn/usn-370-1

Burned by that. Prolly fixed now, but that doesn't mean I am eager to resume :D Call me old fashioned.

Re:screen

[flydpnkrtn]

"cstone and Rich Felker discovered a programming error in the UTF8 string handling code of "screen" leading to a denial of service. If a crafted string was displayed within a screen session, screen would crash or possibly execute arbitrary code."

Wow.... ouch. Especially on a shared host with random other people you don't know...

OpenVZ VPS's for the win! It's your own personal "box" effectively

Re:screen

[MrNaz]

This is the wrong place to ask. I doubt we'll get a single response from a person on the cutting edge of cryptanalysis who can give you a meaningful answer on the relative strength of Diffe-Hellman vs AES, which is what your question comes down to.

Realistically, it makes no difference. Both mechanisms are highly secure, cutting edge cryptographic systems. I doubt that either have been broken by anyone. If there is someone powerful enough to break those systems *and* keep the discovery secret, they're waaay above the league where they'd be interested in your SSH connections. That is, unless you work for the military of a major world power and are known to be transmitting valuable intel.

The ability to secretly break DH or AES would be such a huge weapon that they wouldn't use it unless the stakes were high enough to risk losing the advantage if their capability were detected. Somehow, I think your connections to your servers aren't that important.

Re:screen

That is, unless you work for the military of a major world power and are known to be transmitting valuable intel.

In which case you pretty much go to jail for storing that stuff on your home computer

Re:screen

[MrHanky]

I can't see how you can get rooted by screen except if someone got access to your account and you had a screen session with su root running.

Re:screen

[pookemon]

The only car I have ever seen on fire (in real life as opposed to on TV) was a Porsche - and it was blue.

And I currently have two laptops that I amd repairing - both of them have buggered screens.

Oh, and then there's the "Blue Screen of Death" - though I've only seen one PC burst into flames after a BSOD, so that was probably a coincidence...

Re:screen

[sopssa]

Exactly.

The only thing we can say here is that if your computer is physically secured (you can log out to login screen and leave the sessions running, and encrypt your hdds), it doesn't matter if you leave your session running or not. Your ISP can't "sniff that handshaking" and go on without you getting a security warning. If you do, you just wont accept the connection and try to solve what's going on. Just remember to log out after leaving from computer.

If NSA or some other organization had a way to break into your SSH session and they cared to use it against you (with the risk of that info leaking), then you have much larger problems than worrying about if you should leave ssh sessions open or reconnect.

Re:screen

[louzerr]

I've had two cars catch fire ... both blue!!! I think you're on to something ...

Re:screen

[pthisis]

This is the wrong place to ask. I doubt we'll get a single response from a person on the cutting edge of cryptanalysis who can give you a meaningful answer on the relative strength of Diffe-Hellman vs AES, which is what your question comes down to.

No, it doesn't.

Currently, the relative strength of both of those is "much stronger than the chance of some kind of user screwup". Something like typing a password and "enter" into the wrong window, connecting to the wrong server, being tired and cranky about having to get work done and so ignoring a KEY CHANGE warning, etc is far more likely than an attacker breaking AES or Diffie-Hellman to get to your data.

So, do what you can to minimize the chance of user error. To me, that probably means stay connected (I'm willing to be persuaded otherwise, though, whether in general or for particular work patterns).

Re:screen

[pluther]

I've also had two separate cars catch on fire.

Neither was blue, though.

One was kinda brownish and the other was about half gray and half red. (Primer and rust).

Re:screen

[geekmux]

Just use the program screen if you want to get rooted, you mean. The ONLY time I have ever had a box rooted was when I left screen running.

If you could please politely supply the vendor and version of the OS you are running, we would be very grateful. I'm certain I'm not the only one who would like to be running the most secure OS in the known universe...I mean hell, you apparently only have ONE known exploit on your machine. Pretty fucking amazing if you ask me.

Re:screen

If you're using an obsolete version of Ubuntu/screen, you deserve to be rooted.

Re:screen

[_Sprocket_]

Huh? So you're saying somehow screen keeps listening on a port and lets evil hackers connect to it, exploit it, and continue using your screen session?

Can you really be sure it's not just some other vulnerability that is letting someone in?

One of the high-profile compromises Slashdot covered in the past involved screen. Screen itself wasn't attacked. But it did provide numerous sessions (including SSH tunnels) that provided access to internal systems through an otherwise pretty hard perimeter.

Screen rocks; I use it all the time. But one really needs to keep in mind the issues involved in using it. Using it to keep open active SSH sessions would be a practical example of one of those issues.

Re:screen

[_Sprocket_]

You're supposed to paint it blue first. Doesn't anyone RTFM?

Re:screen

[JustOK]

blue, brown and bi-colored all start with the letter b

Re:screen

[cheftw]

I had a car, its colour was WHO CARES?

Sorry, it's late and you're not interesting or on topic.

I realise I'm not either, call it irony.

Re:screen

[blop]

Shocking vulnerability, you could potentially get rooted just reading some dodgy email in mutt under screen!

It was fixed in October 2006 (couldn't find a POC though) but there must be a lot of people with older versions still...

Re:screen

[dgatwood]

Really, I think it's more a case of balancing the risk of the Windows box getting 0wn3d while the connection to the remote machine is active and somebody taking advantage of that to muck around on your server while you're gone versus the risk of the Windows box getting 0wn3d and somebody capturing the password when you log in and using it to impersonate you later. The former requires a much more sophisticated cracker than the latter, so I'd probably say staying logged in is safer as long as you have pretty airtight physical security.

Re:screen

[yincrash]

you could use a key pair to login rather than a password. then keep the key on physically secured usb storage. that would prevent any password issue.

Re:screen

[FlyMysticalDJ]

I realise I'm not either, call it irony.

it's irony. There, are you happy now?

Re:screen

[rew]

Assuming the crypto is strong enough, and I think it is, the chances of getting hacked amount to "user error".

What kinds of user errors could happen?

  The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
  RSA key fingerprint is 24:ba:36:a4:4b:11:59:e8:ec:dd:75:15:f2:2e:74:dc.
  Are you sure you want to continue connecting (yes/no)?

If you occasionally get that, legitimately because you lose your key fingerprint hashes, you might fall for a man-in-the-middle attack. If you
leave your sessions running, there will be less chances of intercepting you while you do the "connect", and the chances of you getting used to these warnings and hitting enter too quickly will also reduce.

So I'd say that for normal use, leaving them running is more secure.

(on the other hand, there were attacks that could insert things into your datastream provided the hacker knew (could guess) what you where typing... But that has been fixed as far as I know).

Re:screen

[sopssa]

The thing is, he will eventually have to login again. While my connection is really stable, sometimes ssh session just breaks or you have to reboot your windows. Or your connection could break for a few seconds and that already breaks it.

You're looking at max 2-3 weeks session time anyway.

There is no better way. You have to keep sure you are secure to both.

Re:screen

[zippthorne]

There is no need to be entering your password in every time. If you're logging in frequently, see man pages for ssh-agent, ssh-keygen, and ssh-add.

It's not that difficult to set up, although the first time takes few minutes to understand. Your OS may also have integration into its keychain, depending on what you're using.

Re:screen

[mysidia]

. Your ISP can't "sniff that handshaking" and go on without you getting a security warning.

You're making an assumption about the modality of the attack.

Not all theoretically possible sniffing attacks are active man-in-the-middle attacks.

If the DH key negotiation is compromised, then the attacker may be able to passively sniff the keys and all the data that follows.

If the attacker can modify the SSH server or the SSH client, then of course, they can sniff all traffic, regardless of connection duration.

Re:screen

[mysidia]

RTFM.

That's why you set a screen password. Control + A, : password ENTER

The attach cannot proceed without typing the password. The password cannot be changed (for an already running session) without attaching first.

From the screen man page:

password [crypted_pw] Present a crypted password in your ".screenrc" file and screen will ask for it, whenever someone attempts to resume a detached. This is useful if you have privileged programs running under screen and you want to protect your session from reattach attempts by another user masquerad- ing as your uid (i.e. any superuser.) If no crypted password is speci- fied, screen prompts twice for typing a password and places its encryp- tion in the paste buffer. Default is `none', this disables password checking.

Re:screen

[mysidia]

Physical security is one thing... but if your computer running the SSH client is compromised by malware, or an intruder, an attacker may be able to login remotely and leapfrog to the other server you left logged in as root.

Re:screen

That is very fascinating. Can you give us some more details about what happened?

Was it a shared host with multiple users?

How did the evil string get displayed?

Did just your user account get compromised or was it truly a "root"ing?

Re:screen

[mysidia]

I'll agree owch.

But you're quoting a vulnerability in a piece of software that was patched 3 years ago, in response to an article about running PuTTy on a Windows system.

A windows system that today likely has so many unpatched 0-day vulnerabilities, that they can't be counted, not even on all the current and past Windows developers' fingers, put together.

This is just a variant of tried-and-true character-based attacks against terminals. Smart people use mesg n on multi-user systems, especially when running as root.

Re:screen

[prider]

I realise I'm not either, call it irony.

it's irony. There, are you happy now?

I'm sure he's not happy, he sounds rather blue.

Re:screen

[mysidia]

Yeah, and drive a black SUV with tinted windows if you want to get laid.

YMMV.

P.S. Don't drive red sports cars, unless you want to get weekly traffic tickets.

Re:screen

[mysidia]

The ASIBC surely had some hand in this... (The American Society for the Incineration of Blue Cars)

Re:screen

[tkiesel]

The GNOME encryption utility has this integrated. I established a key for connecting to my server at work in seconds with a few clicks and my remote password.

So Ubuntu, Fedora, etc.. Linux distributions have this solved.

Re:screen

[tobiasly]

I doubt we'll get a single response from a person on the cutting edge of cryptanalysis who can give you a meaningful answer on the relative strength of Diffe-Hellman vs AES, which is what your question comes down to. Realistically, it makes no difference. Both mechanisms are highly secure, cutting edge cryptographic systems. I doubt that either have been broken by anyone.

That's a good point, but if you do decide to stay logged in after you leave, it's probably best to be doubly sure and turn off your monitor.

Re:screen

Typing in passwords on SSH connections == FAIL.

OP needs to take his pills and put the tinfoil hat away.

Re:screen

[socsoc]

Err... Alanis, that isn't irony.

Re:screen

[trapnest]

The only time I ever got rooted was when another user in suoers left a screen running with sudo -s inside and then dropped his private key in IRC.

Re:screen

Cutting edge cryptanalyst here (PhD in IBE, works for major global security company)

A disclaimer: Conventional crypto is not my game anymore (post-quantum crypto is the way of the future). As any expert will tell you, I am not an expert, but I'll try to shed some light on some aspects of the discussion here.

To begin, we first have to make some reasonable assumptions about the choice of keys in SSH2. There exist known weak primes and weak generators in the DH (Diffie-Hellman) protocol that can be exploited. Assuming the SSH key generator algorithm is smart enough not to choose any known weak primes or generators, we can say the following.

The default OpenSSH implementation uses a 2048-bit prime order field. The security of the DH key exchange protocol is based on the discrete logarithm problem, of which the best known conventional attacks are generally O(sqrt(n)). ie. in laymans terms, roughly equivalent to a keysearch of 2^1024. Quantum computers are another story, but unless you're transferring data that will need to be secure in the order of decades (like you're that important), I doubt you have much to worry about in that regard for a while to come.

AES (the symmetric cipher used in SSH) uses by default 128 bit keys. There are no known attacks on AES better than brute force (ie. on average a keysearch of 2^127, since on average only half the keys will need to be checked before finding your session key). I would say however that there is a far greater chance of someone in the future strongly breaking AES than someone strongly breaking DH. New techniques for attacking symmetric cryptosystems appear all the time (see: Linear cryptanalysis, Differential Cryptanalysis, Impossible Differential Cryptanalysis, Integral Cryptanalysis, Boomerang attacks etc.) whereas DH is based on a very well known and studied number theory problem. Crypto-God Bruce Schneier seems to think AES will be broken in the future, but not enough to allow practical cryptanalysis of traffic.

It's hard to make any definite statements about a comparative analysis of the two schemes, due to the constants (or indeed polynomial terms) of the above complexity statements being unknown. From a purely theoretical standpoint, DH is the weakest link due to it having a better attack than brute force. However, when given this specific set of values to be used, the real-world security comparison is generally seen to be in the favour of DH with 2048 bit prime rather than AES-128. One author suggests Regardless, cycling the session key seems to be free (I can't find any known attacks that use past key exchanges). The SecSH RFC suggests session key cycling after a gigabyte of data, however more often can't hurt.

In short, you don't need to be worried about either DH or AES for a long time to come, but in terms of security, cycling the session key more often than necessary (ie. logging out and back in again) is probably technically more secure. As others have said in this thread however, crypto is very very rarely the weakest link. I'd be looking far more closely at the security of the computers involved than worrying about the crypto being broken.

Re:screen

[Chryana]

And if next time you get rooted, it's because of Apache, are you going to stop using it? What about Firefox? Hell, what if it's because of xorg? I can sympathize with your suspicion since you got burned once by screen, but I think you're depriving yourself of an AMAZINGLY USEFUL tool (I'll admit it, I love screen.). My point is, there are inevitably bugs in software, and there is no point in crippling your computer experience as long as the bugs get fixed. In that case, you could use tmux instead, I suppose, but what tells you it doesn't have a remote vulnerability, which has not been fixed?

Re:screen

[Antique+Geekmeister]

ssh-agent is its own profound issue: by keeping the key unlocked in a format usable by other shells or software, it makes all your unlocked keys available to anyone who can gain access to the same server as you. This means that I, as an admin, can probably borrow the ssh keys of anyone I've educated in how to use ssh-agent on any of my systems.

Isn't that _convenient_ for me?

Re:screen

[steveb3210]

This is the wrong place to ask. I doubt we'll get a single response from a person on the cutting edge of cryptanalysis who can give you a meaningful answer on the relative strength of Diffe-Hellman vs AES

Perhaps you should start with wikipedia. Diffie-Hellman is a key exchange protocol which uses public key cryptography to negotiate a symmetric key.

Your comparing apples and unicorns.

Re:screen

[Medievalist]

I doubt we'll get a single response from a person on the cutting edge of cryptanalysis who can give you a meaningful answer on the relative strength of Diffe-Hellman vs AES, which is what your question comes down to

Yowza! That's some killer irony you got goin' on there hoss! Awesome!

Wait, did you think that was a meaningful response?

Re:screen

[steveb3210]

If an adversary has enough access to read/write to the socket that ssh-agent is processing or read the memory space that it is running in, then they probally also have enough access to keylog you typing in the passphrase or read ~/.ssh/id_dsa

Re:screen

[Rophuine]

People often elevate privileges during terminal sessions. Leaving a screen session running with a shell su'd makes for a privilege-escalation attack a savvy 8-year-old could manage.

Re:screen

[FlyingBishop]

And then you have to physically trek to the box to make a new key. Which will often be impractical, thus bringing us back to "being tired and cranky about having to get work done and so ignoring a KEY CHANGE warning"

Re:screen

[Lord+Kano]

The ability to secretly break DH or AES would be such a huge weapon that they wouldn't use it unless the stakes were high enough to risk losing the advantage if their capability were detected. Somehow, I think your connections to your servers aren't that important.

If anyone has the capability, it's the NSA. They could use it routinely without anyone else knowing, they're good enough at keeping secrets that no one would know until long after it mattered. These are the people who discovered differential cryptanalysis and didn't let the cat out of the bag until 20 some odd years later when academia discovered it.

LK

Re:screen

[JWSmythe]

    I think his question went beyond the question of how secure the session is, even though he did say it.

    Which is more secure, to leave a shell opened indefinitely, or to close it?

    Unless he's not a normal person, at some point every day, he'll use the restroom. During the work day, he may even go get some food or drinks.

    He admitted to using a Windows machine. I won't even comment on how many viruses and trojans are running around, which may compromise his desktop. All it takes is one virus that gives remote access to his desktop that would give someone a clear shot to his servers.

    As anyone who's worked in an office long enough would know, once in a great while, you'll get dragged away from your desk, and not lock the console. Maybe someone shoulder surfed your password. Maybe you used the same password for your email account, and it was sniffed in the clear (tisk, tisk, should have used an encrypted method).

    Of course, his information may really be worth something. Maybe that root shell will be worth a fortune. What exactly is a dump of the full Bank Of America database worth on the black market? How many fake credit cards can you print up before they reissue every single BoA credit card in circulation? In that case, it would be worth it to visit his home with force. One bump key to the back door, and one silenced shot to the back of the head, and you'd have hours (or days) before you were discovered. As always, there is no security without physical security, and that isn't only the server side of things.

    I'm sure someone can name the XKCD issue which points this out the brute force flaw in any security system. A $5 wrench will break any security, if applied properly.

    I'll assume his information isn't all that interesting, since he can access remotely without some serious levels of security. I'd believe we're talking about a few low traffic web servers, and a newbie admin impressing himself that he can keep his connection up for days.

Re:screen

[Antique+Geekmeister]

The ability to read your sockets, directly, to steal the passphrase requires access during that action, with root privileges. It also requires a bit of programming knowledge. Conversely, the ssh-agent access merely requires stolen user level privileges at any time during the period that you have the agent loaded up. It's the difference between picking a lock, and looking under the doormat for the key the owner left there.

A similar issue occurs with administratively privileged sessions without a screen locked, but this is exacerbated by the casual handling of $HOME contents in numerous working environments.

Re:screen

[coobal]

Just drive a blue car if you want it to catch on fire, you mean. The ONLY time I have ever had a car catch on fire it was blue.

Damn, my car caught on fire, and it was blue...

Re:screen

[quadelirus]

Nice answer. Because of this I think the best advice is to close your connection. If you leave it open and head to the bathroom a coworker has access to your home computer. Since we can't say anything meaningful about whether AES or DH is more secure then the only obvious security vulnerability is this one. I say close 'em.

Re:screen

[MrNaz]

AES and DH are both involved in SSH2 session establishment. An ongoing session uses AES whereas repeatedly logging out and in uses DH repeatedly. The difference between constant sessions and repeated reconnects changes which scheme you rely on more.

I am not comparing apples and unicorns, I'm saying that in a meal consisting of unicorn steak and apple sauce, you have to look at both as when considering the risk of having an allergic reaction to the meal

Also, your use of "your" is incorrect.

Re:screen

[cool_arrow]

I seem to recall that DH keys are computed and not exchanged. Wouldn't a passive attacker need to know some info. that he would not have access to? Not sure about this though.

Re:screen

[complete+loony]

Ever seen a blue screen crash?

(Yes I know it's sysinternals screen saver...)

Re:screen

[gnapster]

Hey, if you type in your private key, it will show as stars
*********************, see?

Re:screen

[steveb3210]

I see what you meant now..

Re:screen

[phtpht]

RTFM.

That's why you set a screen password. Control + A, : password ENTER

The attach cannot proceed without typing the password. The password cannot be changed (for an already running session) without attaching first.

From the screen man page:

password [crypted_pw] Present a crypted password in your ".screenrc" file and screen will ask for it, whenever someone attempts to resume a detached. This is useful if you have privileged programs running under screen and you want to protect your session from reattach attempts by another user masquerad- ing as your uid (i.e. any superuser.) If no crypted password is speci- fied, screen prompts twice for typing a password and places its encryp- tion in the paste buffer. Default is `none', this disables password checking.

So what does screen actually do to protect the programs inside? I mean with the privileges to attach the screen and not knowing the pw, you usually also have the privileges to debug the bastard and skip the pw check altogether.

Re:screen

[wvmarle]

You're admin already. Nothing is safe against a determined admin. An admin can gain access to any password, encrypted file, whatever, when their users access it. And possibly even without help from the users. All covertly of course.

In life, you have to trust other people, even if you do not know them personally. The admin of the network you're connecting to is one of them.

Re:screen

[AlexWillisson]

I use this all the time, it works wonderfully. You can also copy your private keys over multiple computers, so you only need one key for all of your computers. However, you probably want to change keys every couple years. That way you don't have to worry about someone logging into your computers with a 10+ year old key you forgot about.

Re:screen

[tomtomtom]

If NSA or some other organization had a way to break into your SSH session and they cared to use it against you (with the risk of that info leaking), then you have much larger problems than worrying about if you should leave ssh sessions open or reconnect.

Further, if NSA/whoever really do have a way to break DH or AES then it is highly likely that it would be in the form of some relatively minor weaknesses reducing the effective keyspace combined with big-iron processing capability. It would still them take some time to do - maybe on the order of weeks to months.

Fact is, they'd have a much better chance just trying to hack your box in the first place (or at least they'd probably try this while waiting for the number-crunching). For example, OP is running PuTTY, so on Windows. I would bet good money that the agencies have been through the source for Windows, Internet Explorer etc and have a small pile of zero-day exploits which they can use to install some piece of software which could just silently transmit your key back to them.

Re:screen

I'm only posting anonymously because I moderated already. But I've thought about this problem also, and it comes down to user education, including admin superusers. One rule we have at our company is you su to root first before using the root user in a screen session. This way you have to be root in order to attach to the session, meaning that you already have the privilege of running as root.
You can also add a session password to screen for added security so even other members of root cannot attach.

In other words, if you have to keep root open in a screen su to root first before using screen.

 

Re:screen

Try tmux instead of screen. I've found it to be more robust and intuitive, probably by virtue of not being GNU.

Re:screen

[OverZealous.com]

I would ask, why would you even allow password-based logins to your server?

Step ONE for me when setting up a new server is to configure SSH keys for a user account, and disable any kind of login other than key-based.

(Step two is moving SSH off of port 22 to some other port, but that's more to keep script kiddies from trying to brute force their way in even when passwords are disabled!)

Re:screen

[ghjm]

Well, but you're making the huge assumption that any security breach must occur because of a breakdown of the fundamental cryptographic protocol. In fact, all publicly known ssh vulnerabilities have been the result of implementation errors of one sort or another.

So, the question is: Are you more likely to encounter implementation errors or other commonplace security flaws during key negotiation or during stream encryption? I think the answer is pretty clearly key negotiation, because the attack surface is larger. Unless you're worried you might lose control of the open session to a local attacker.

-Graham

Re:screen

Oh, I guess you did a nice:

screen
su

?

That is just stupid, and nearly the only way to get rooted by leaving a screen session running.
NEVER rund sudo -i/sudo -s/su from inside a screen!

Re:screen

[Bert64]

OpenVZ is certainly not your own personal box, you are running under someone else's kernel and subject to their kernel choices...
You can't load arbitrary modules which you might want to use (i found myself unable to load the tap module on an openvz image where i wanted to install openvpn), you cannot upgrade/modify the kernel yourself, so if whoever hosts the image doesn't upgrade their kernel to fix a security hole your stuck with it.
And ofcourse, as with any virtual server setup, if someone compromises the host system then they have full access to all your data anyway.

Re:screen

[vegiVamp]

Yeah ! I just had a mental picture of a car on fire, and it was blue, too !

Re:screen

[marcosdumay]

You can install new keys via SSH. No need for physical access. And changing your access key won't generate a KEY CHANGE warning.

And, by the way, the question says that the ssh server is on his home. He won't have problems physicaly accessing the server on a daily basis.

Re:screen

Use 'ssh-add -c' to require confirmation before any key access is granted. In this way, even if someone did request a key from a socket connected to your agent, you'd know because $SSH_ASKPASS would prompt you to allow this key to be used. Thus you know if you're not logging into a box, someone is mucking with your keys - and don't grant it access.

Re:screen

[marcosdumay]

If you occasionally get that, legitimately because you lose your key fingerprint hashes

Just curious here, how would he lose the fingerprint hashes? I'd expect that, except if he consciently changes his server key, replaces the entire ssh configuration, or is victim of a man in the middle, he would never see that warning.

Re:screen

[marcosdumay]

Please, somebody mod the AC up.

Re:screen

[nazsco]

Further, if NSA/whoever really wants this guy that, they will use that $5 wrench.

Re:screen

[newdsfornerds]

Perhaps you left a root screen running?

Re:screen

[thePowerOfGrayskull]

that's interesting but what was the connection? How did screen lead to the rooting?

Re:screen

[obarthelemy]

hey ! we're using the same gateway ! are you hiding in my closet ?

Re:screen

[Argilo]

Actually a Diffie-Hellman key over a prime field can be broken in about the same time as a similarly sized RSA key using, for example, the index calculus algorithm. The amount of computation required to break a 2048-bit Diffie-Hellman key is about 2^112, not 2^1024.

Re:screen

[rew]

You've got it.

- Losing your $HOME/.ssh or wherever it lives under Windows.
- reconfiguring the server.
- starting to use ssh for the first time to that particular server.

For example, although my home machine has been in existance for years, and one of my work systems has similarly been around for years, I had somehow never ssh-ed from this particular machine at home to that machine at work. The machines at home don't share homedirs. So I got the warning yesterday, which I was able to copy for the posting above....

If for example you have 10 workstations on one end and 10 servers on the other, you need to type "yes" a total of 100 times. If you've done that 50 times, you're open to a man in the middle attack because you're used to getting that warning every once in a while.

So yes, that's user error. However, those are worth optimizing for, because I think the crypto is safe...

Re:screen

[ComputerizedYoga]

The answer to the tinfoil-hat question: ssh protocol 2 uses diffie-hellman key exchange to establish a session key before anything sensitive starts flowing. It's pretty resistant to eavesdropping, being that the actual key is never transmitted. You shouldn't be shy about starting up new ssh connections over untrusted links, as long as the destination's server key signature is already in your known_hosts.

Re:screen

[ZygnuX]

bummer...

Re:screen

[flydpnkrtn]

OK, yes you can't load your own kernel modules, but it's a heck of a lot closer to your own personal box than a shared host separated only by individual shell accounts though... and the screen security hole described by the grandparent post would be ineffective

Re:screen

[pthisis]

I would ask, why would you even allow password-based logins to your server?

Because requiring key files presents a barrier to the ability to do work, and that penalty is far greater than the small risk of being hacked in a manner that's caused by allowing password-based logins.

It's not unheard of for things to go wonky when a key employee's on vacation or over at a friend's house or wherever, and the benefit we get from having them be able to download putty, log in, and fix things is a lot higher than the tradeoff.

In a security-focused sysadmin's world it'd be nice to tell them they should carry a keyfile with them everywhere, but in the real world that doesn't really work out all the time.

Re:screen

[binford2k]

You kind of missed the point. He's not asking how he can resume sessions. He's asking whether it's safer to leave an ssh connection open all the time or establish a connection when needed.

Re:screen

You got it mostly right, but no need to disconnect/reconnect there is rekey just for that by default once an hour or shorter/longer if you just configure it.

A humble opinion from CISSP & CISA (who's former colleague is listed original protocol authors and asked about this many many moons & eons ago, this is also documented in O'Reilly SSH book)

Re:screen

[Fry-kun]

If using asymmetric keys, then indeed the private key is not transmitted. But if using password authentication, it is transmitted in "plaintext" within the encrypted connection established by DH session. In other words, if the remote machine is compromised (or someone replaced it), it can get your password. Which is why it's important to heed the host key change warnings.

Re:screen

[Estragib]

I'm not sure if you meant this already, but screen doesn't disconnect anything, except SSH's output to and input from the terminal, and that only in a redirecting sense. Detaching from a screen that's running ssh will leave the SSH connection open exactly as if there was no screen involved. Anyway, OP is off-topic.

Re:screen

[mysidia]

So what does screen actually do to protect the programs inside? I mean with the privileges to attach the screen and not knowing the pw, you usually also have the privileges to debug the bastard and skip the pw check altogether.

The screen binary is supposed to be setGID. Normally setGID tty or setUID root.

Once the binary is launched with setGID privileges, it is not possible to attach a debugger to it, unless you are root.

Of course, root can do anything, unless you have taken special precautions, such as a restrictive SELinux MAC policy, set the capabilities bounding set, or increased the system's securelevel, to remove privileges from the root user.

Re:screen

[Dragoniz3r]

ssh-agent is run on your local machine, not the server. Additionally, the server only stores the public key, the private key is also stored on your local machine. So unless they're ssh-ing FROM your system to another system, you can't "borrow" their key. And if they ARE doing that, then they were fucked to begin with and this discussion is so pointless I question why you even brought it up.

Re:screen

[trapnest]

Why would I type in a private key? Copy paste is just fine thanks

Filter error: That's an awful long string of letters there.

sux

Re:screen

[Bert64]

Depends what you were running inside your screen session...
The attack you mentioned would be defeated on a shared box simply by turning of messaging (mesg n)...
If the user is running an irc client, telnet client, or something else that interacts with externally generated data they may still be attacked... Even if the user is just doing a tail -f on some logfiles, there may be ways to inject the appropriate code into the log.

Re:screen

[marcosdumay]

It seems you may need PortaPutty ;) You can keep your key hashes on a shared disk (or pen drive), and only see that screen 10 times, instead of 100.

Also, it may help to know that the warning for a changed key (like a man in the middle) is different from the warning from an unknown key (like in a new server), and you can't just type 'yes' to make it connect.

Re:screen

[rew]

In practice, security is always a tradeoff between usability and security.

For me having the keys on the local disks is usability, and having them on a pen drive is not.

I personally try to know when a "unknown key warning" is valid or caused by a man-in-the-middle attack. However, imagine having to explain to some computer illiterate person (your mother? someone else's mother if she happens to be computer-literate) when to accept the unknown key prompt and when not. (if that person needs to connect to ONE server only, you can accept the warning once for her and then tell her to never again accept that warning. But if you can't predict to which servers she'll be connecting....)

You're right. changed keys are more difficult to accept than just type yes. Is that the same for putty under windows?

Re:screen

[marcosdumay]

Yep, that is the same for Putty.

You're probably not that special..

[Anrego]

Seriously..

The minor advantage over one or the other is moot.. because unless you've got something of actual importance (in which case it shouldn't be on your home computer) no one is going to go through the bother of trying to break in either way.

If someone wants whats on your computer.. they'll probably just grab you and beat you to a pulp until you give them your password.

Re:You're probably not that special..

The question of best practices doesn't matter who's important.

Re:You're probably not that special..

[Jorl17]

All you say is true, but more people might be interested in this issue from an abstract point-of-view. See it as a philosophical question: "Is it or not right to do X?"
Of course that, in his case, that's probably overworrying (See, I made a new word!)

Re:You're probably not that special..

[mOdQuArK!]

because unless you've got something of actual importance (in which case it shouldn't be on your home computer)

You mean, like having a functioning always-connected-to-broadband potential attack platform?

Re:You're probably not that special..

[Cassini2]

People constantly scan internet ports to find something open and worth hacking.

Linux servers are useful as command and control servers for bot-nets.

Re:You're probably not that special..

[Anrego]

You mean, like having a functioning always-connected-to-broadband potential attack platform?

Sitting on the same Internet as thousands unsecured windows machines.

Seriously.. you're argument is just plain silly. No one is going to go to the hassle of covertly breaking Diffe-Hellman or AES for the purpose of setting up a zombie box. If you could do either.. heck if you could do either.. you'd probably make a mint ..

Re:You're probably not that special..

[Annymouse+Cowherd]

Windows machines behind hardware firewalls, unfortunately.

Re:You're probably not that special..

[_Sprocket_]

The minor advantage over one or the other is moot.. because unless you've got something of actual importance (in which case it shouldn't be on your home computer) no one is going to go through the bother of trying to break in either way.

Your value as a victim is often directly proportional to the ease with which you are attacked. Even assumed difficult attacks become easy if they can be automated.

Re:You're probably not that special..

Direct attacks on Windows boxes went out of style circa 1998. Common causes of 0wnage include IE exploits and simple social engineering with trojans. Hardware firewalls don't do shit about that.

Re:You're probably not that special..

[mrcaseyj]

It seems to have almost become common wisdom that extra strong cryptography is useless because of the possibility they can beat the password out of you. It should be remembered though that a rubber hose attack isn't always practical. For example when Nixon wanted to get intel from the Democratic National Committee, a rubber hose attack on the DNC chairman might not have had desirable political effects. Yet someone like Nixon today may be able to bring the most powerful resources of a major government to bear on a 1024 bit RSA key, at relatively little cost to the attacker. There may also be ways to mitigate such attacks. For example, a fake distress password given away during torture may alert targets and allow encrypted data to be burned before the attacker can locate it. Also, if it is important enough, some people are able to resist torture.

As for the original question though, I'd guess that ssh is secure enough that unless attacks are expected from the most powerful attackers, convenience(productivity) may be the biggest determination of policy on this question. But if the question must be answered, I'd say that staying logged in will expose you to attacks on AES, but repeating your login will expose you to more attacks on both AES and the login protocol. So I'd guess you'd want to stay logged in.

Re:You're probably not that special..

[bain_online]

The minor advantage over one or the other is moot.. because unless you've got something of actual importance (in which case it shouldn't be on your home computer) no one is going to go through the bother of trying to break in either way.

Thats what poor Kenneth Haywood thought, but fate has its own turns and twists.
Agreed that a chance of a terrorist using your connection to send threat emails is quite low, but how about a spammer or an identity thief? Or just an angry X Lover?

Re:You're probably not that special..

[dhasenan]

The best way to defend against an X lover is to use the console exclusively.

Re:You're probably not that special..

[tiberus]

You're probably not that special..

He may not be but, I certainly am. My mommy told me so.

The question of best practices doesn't matter who's important.

Yes and No.

Not all best practices are created equal. A general best practice may be different from one for finance, defense or <insert your industry here>.

Case in point: If he worked for us it wouldn't be an issue, we require the use of VPN and don't allow remote users to SSH in. When on VPN, we redirect all traffic over the VPN essentially removing the user from their local network.

With SSH user like to use port forwarding. We had a user get around our attempts to prevent forward of SMTP. Essentially his innovative port forwarding configuration allowed him to bridge the network, he got botted and our lives became seriously un-fun(tm). In short, while the stated question is interesting, it pales in comparison to other risks.

Re:You're probably not that special..

[realityimpaired]

Indeed. Speaking from a military standpont (I was in communications in the Canadian Forces, Army), the longer a communications link remains open, the more chance there is that somebody will notice it. Now, the costs are a *lot* higher when you're talking about battlefield communications and the potential for enemy artillery, but the principle remains the same: if you keep an encrypted communications link open 24/7, then the chance that somebody will take notice and try to do something with it are significantly increased. It doesn't matter that you're probably not a valuable target, or that you may not necessarily lose much if your connection is hit, the chance of it happening increases with every minute you spend connected. When talking about SSH, yes, it's encrypted, but there's nothing to stop them from sitting there and logging all of the traffic that passes, and just waiting for the next time the SSH handshake happens.

Best practice is to open the link, do what you need to do, and close the link.

Re:You're probably not that special..

[ComputerizedYoga]

Two points of note:

First: changes in traffic pattern are also information leakage. It's all a balancing act. If you're worried about your enemy discovering your location, you stay off the radio. If your location is known (eg: you're at a base), and you want to cover any activity changes, you might stay on all the time and lay down a noise floor to mask those changes. If there's scarce spectrum for you to communicate in, that's another consideration. But none of that really applies to non-military use of ssh.

Second: ssh2 handshakes use diffie-helman key exchange to establish a session key. The eavesdropper waiting for the next handshake gets nothing useful -- they're going to have to do an offline brute force of the stream they got, and that'll only reveal the session key to that user. Further, ssh re-keys every hour or every 1gb by default (configurable: RekeyLimit), so an offline brute-force of a collected data stream will be of relatively limited exposure for an attacker. And offline brute force of even a 128 bit aes-ctr stream is still somewhere deep in the realm of impractical.

Probably the only real difference between reconnecting and keeping it alive is that depending on how many times you connect, you may deplete your entropy pools faster doing one versus the other.

Wat

[sakdoctor]

What gives you the impression that the key-exchange in SSH is vulnerable?
The short answer is: Whatever.

http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange

Re:Wat

[xZgf6xHx2uhoAj9D]

More to the point (since basic Diffie-Hellman is vulnerable to man-in-the-middle attacks), if you already have the "fingerprint" stored for your home machine, that really can't be faked, so you're safe. If you're not storing the "fingerprint" (why not?) then, well, why would anyone do that?

Re:Wat

[Anthony+Liguori]

The short answer is: Whatever.

It's a little more nuanced than that. To the extent that a long term session is more predictable than a short term session (or vice versa), it may matter. See Timing Analysis of Keystrokes and Timing Attacks on SSH.

Re:Wat

[hunteke]

What gives you the impression that the key-exchange in SSH is vulnerable?

Answer: The key-exchange is not vulnerable. However, there is an issue the first time you connect to one host from the other. That initial message that most people ignore is a possible MITM (Man in the Middle) avenue a cracker could harness.

Example message:

The authenticity of host 'ssh.example.com (123.234.123.234)' can't be established.
RSA key fingerprint is 96:21:c3:32:3d:cc:18:d5:53:6a:d4:0d:0d:73:c6:1a.
Are you sure you want to continue connecting (yes/no)?

While giving the password to the remote server for authentication may be secure, unless you've verified that fingerprint, you don't know to whom you're talking. That is, when you connect the first time, and you blindly accept that fingerprint, if it's a cracker, you are literally typing your password to the rogue machine (that would then turn around and log in "as you" to the real machine).

Ideally, you would to verify that fingerprint with a version you get through alternate, presumably secure, means. E.g. an over-the-phone conversation with an administrator, or physically accessing the work system and writing it down, or (temporarily) connecting directly to the server with a cross-over cable.

Re:Wat

[palegray.net]

Precisely. On a Linode Linux VPS, for example, this can be accomplished via the console using the following command:

ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

Re:Wat

Great! Can you put that info in your (pretty extensive) Wiki?

Re:Wat

[incripshin]

Well at least I agree with you. As long as you're using OpenSSH in the default configuration (though I always enable the VisualHostKey option when it's available), you'll be fine.

Re:Wat

[tobiasly]

Ideally, you would to verify that fingerprint with a version you get through alternate, presumably secure, means. E.g. an over-the-phone conversation with an administrator

So what if this administrator you're having such a secure conversation with has someone holding a gun to his head! Guess you're not so secure now, huh?

Re:Wat

[jroysdon]

The solution to the first-time key exchange is SSHFP + DNSSEC.

Re:Wat

With respect to gun to head, reconnecting is safer because you at least have the chance to die rather than give up the already authenticated connection.

Kinda sucks though.

Re:Wat

[ld+a,b]

A good way of recognizing your host from a new machine is using the visual fingerprints *and* the normal fingerprint.

You can check them using :

$ ssh-keygen -lv -f ~/.ssh/known_hosts

And enable them by setting VisualHostKey.

It doesn't do anything if you are connecting to a host for the first time, though.
In the end it all depends on the sort of setup you want. You always have to compromise.

Anonymous Coward

You kind-of answered your own question. Rebuilding the link over and over is of course more open to being seen/sniffed than an estabilished tunnel.

Re:Anonymous Coward

[dougmc]

Well, yes and no.

It gives the hacker more chances to sniff the connection, but less time to decrypt whatever was sniffed during the beginning of a connection and use it to take over the connection.

It could go either way, depending on whatever vulnerabilities may be found in OpenSSH in the future (or are already known, but not public knowledge.)

Personally, I'd think that going for more, shorter lasting connections would be safer than fewer, longer lasting ones, simply because if they can figure out your password from the key exchange, they can probably do it every time, so it doesn't matter if it's one or many times -- they go it. Of course, this assumes a future vulnerability ...

Re:Anonymous Coward

[mysidia]

What if the vulnerability is a cryptanlytic one in the protocol used by OpenSSH for the key negotiation?

Something like: 2^10 initial key exchanges, reduces the search space for an attacker trying to guess the key

Or certain nonce values turn out to be vulnerable, but not others.

Then more session setups helps the hacker to improve their chances of guessing.

Re:Anonymous Coward

[louzerr]

Also, someone sniffing the network can quickly see those machines you have accounts for with a quick glance. If a curious hacker was inside your network, you would be an "interesting" target.

One-time pad

Just modify a telnet server to use one-time pads and you don'te have to worry about handshakes being sniffed. Just carry around 8GB of one-time pad around on a CF card (cause SD has DRM and is therefore evil)

Re:One-time pad

[Sloppy]

People joke about OTP and say it's infeasible, but seriously: how inconvenient is it to carry around a few gigabytes of pad? It was infeasible 20 years ago but today it sure doesn't sound very burdensome or expensive. The thing is, it's historically so infeasible, that most of today's software doesn't bother to support it. And yet, if our software could use it, I bet plenty of people really would be carrying around randomized flash cards, just for that purpose.

Re:One-time pad

[fbjon]

It's not the carrying around that's burdensome, it's getting the OTP data to wherever you're connecting.

Re:One-time pad

[DamnStupidElf]

Your biggest problem with a OTP is authentication. How do you know an attacker didn't guess that the first thing you run when you log in is "mail", and xored ("mail" xor "rm *") against the ciphertext stream? If you need to trust a cryptographic secure message digest for authentication, you might as well use a plain old cipher like AES for encryption.

Re:One-time pad

People joke about OTP and say it's infeasible, but seriously: how inconvenient is it to carry around a few gigabytes of pad? It was infeasible 20 years ago but today it sure doesn't sound very burdensome or expensive. The thing is, it's historically so infeasible, that most of today's software doesn't bother to support it. And yet, if our software could use it, I bet plenty of people really would be carrying around randomized flash cards, just for that purpose.

Unfortunately, OTP while theoretically perfect has serious practical weaknesses that go beyond the simple inconvenience of having to carry around lots of randomized data. The key practical difficulties essentially are that the OTP must be truly random and most importantly must never ever be reused. It is very difficult to create an encryption system easy to use and transparent to the user using OTP, there are simply too many possible ways for the user to unintentionally make a blunder.

As wikipedia will tell you, historically even spy agencies were not able to keep the above rules and came unstuck when they reused pads, or were not able to randomize the OTP sufficiently.

Re:One-time pad

[_Sprocket_]

People joke about OTP and say it's infeasible, but seriously: how inconvenient is it to carry around a few gigabytes of pad? It was infeasible 20 years ago but today it sure doesn't sound very burdensome or expensive. The thing is, it's historically so infeasible, that most of today's software doesn't bother to support it. And yet, if our software could use it, I bet plenty of people really would be carrying around randomized flash cards, just for that purpose.

Or carry a token.

Re:One-time pad

[necama]

So let me get this straight. You want everybody in the world to carry around synchronized OTPs for every computer they could possibly interact with securely, and all servers to store enough OTPs for all their users, and then, as the OTP protocol requires, throw out the pieces of the pad you've already used? The whole point of a OTP is to deny any sort of pattern formation in the encrypted data due to patterns present in the key and the encrypted stream by making sure there is absolutely no correlation between the two.

Then there is the distribution question. How do you make sure both sides of the OTP are the exact same? Without using quantum encryption protocols (sorry, I don't remember the current distance restrictions on these), there is no known secure way to distribute OTPs short of meeting in person with the person you want to share a pad with, and then making two exact copies of the data.

I'll take Diffie-Hellman for now. If we reach a point where quantum encryption becomes ubiquitous (I'm not holding my breath), then we can talk about OTP as a serious option.

Re:One-time pad

[pclminion]

Not really hard. Buy two 2 TB drives, fill them with the same, cryptographically strong random data. Travel with both drives to one secure endpoint, deposit one drive there. Return to the other secure endpoint, deposit the other drive there. The drives are never out of your possession until they are in the hands of the other trusted party. Depending on what kind of crap you are encrypting, 2 TB is plenty of pad to last for quite some time.

If physically traveling to the endpoints with the pads is cost-prohibitive, then the data you are protecting probably isn't important enough for OTP anyway.

Re:One-time pad

http://motp.sf.net/ and a decent mobile phone?

Re:One-time pad

[Sloppy]

It's not the carrying around that's burdensome, it's getting the OTP data to wherever you're connecting.

That just keeps it from being The Answer To Everything.

But ssh between work and home? Move the OTP over sneakernet.

A phone call to your wife? Plug the phones into each other tonight when they're charging.

Bank account access? They give you a flashcard when you're physically there to open your account.

An online order with a store staffed by people you've never met? Oops, now you have to fall back to public key crypto and trusted introducers.

Re:One-time pad

[Kjella]

People joke about OTP and say it's infeasible, but seriously: how inconvenient is it to carry around a few gigabytes of pad? (...) And yet, if our software could use it, I bet plenty of people really would be carrying around randomized flash cards

Long story short, if it was practical to use a one time pad it'd also be practical to carry around the fingerprint and a SSH client certificate which has been added to the known hosts on the server. Verifying the fingerprint over a secure channel is a lot easier than transferring a OTP, it''s not the carrying it's that you can't send it over the Internet or the whole point would be lost. If you carry the whole OTP on a flash drive, then someone can just steal the whole OTP as easily as they steal the certificate or sniff the password or both. Yes, I know someone will cite the Debian OpenSSL exploit now but looking at it a different way, it was the local software that was exploitable. If you can get a security hole into the OTP software, it'll do you no good no matter how good the encryption was supposed to be. The only effective one time "pads" I've known are those where you get the code externally from a key calculator, a key card or over your cell phone which is assumed to be a secure channel. In short, OTP is fixing all the things that aren't a problem in the first place.

Re:One-time pad

[Sloppy]

You want everybody in the world to carry around synchronized OTPs for every computer they could possibly interact with securely

Nope, just the ones for which it's convenient to do so. I'm not saying Diffie-Helman is obsolete; I'm saying that we sometimes use it when it would be pretty darn easy to use something even better.

there is no known secure way to distribute OTPs short of meeting in person with the person you want to share a pad with, and then making two exact copies of the data.

You say that like it's a horrible obstacle. And yet, you've physically met your friends and family. You physically travel between work and home. You're physically at a bank branch when you open a new account. Those are pad exchange opportunities. If it's easy to do, then why not?

Re:One-time pad

[dgatwood]

First, that would be a really difficult timing attack to pull off, as you would have to be able to reliably identify the point at which you were no longer authenticating with the remote server. Second, because ssh sends data in discrete packets that may include one or several characters, the code would have to guess how many characters were in each packet; this should make it fairly unlikely that you would be successful. Third, even if it were possible, it is trivially avoidable by including a checksum in each block of text and encrypting it with the OTP just like you do with the actual stream data. If the checksum doesn't match after decoding, the packet is discarded and the sender has to resend it. Presto, no more injection attacks.

Re:One-time pad

[suso]

Great, now you have something that will work for 5% of the cases in which people need to remotely connect. Now how about the rest of the times when people cannot get physical access to the machine by inconvenience or by policy.

Just because its possible to do something doesn't make it practical. In fact, its usually when you impose that impracticality on people that they start doing stupid things that jeopardize their security more than it was before the "better" solution.

Re:One-time pad

[pclminion]

Great, now you have something that will work for 5% of the cases in which people need to remotely connect.

I never suggested that this is a general crypto solution for the masses. I am pointing out that if you think you do need to security offered by an OTP system, it's not really that hard to communicate the pads securely. If I can't afford a $1000 plane ticket to deliver the pad in person, chances are my data isn't important enough to need that level of security in the first place.

Re:One-time pad

[melikamp]

Another advantage of this approach is the ability to "hide" useful data inside the pad. If more people used OTPs, we wouldn't have this "hand over your keys" nonsense in courts. Take all of my data. If you cannot understand it, tough luck.

Re:One-time pad

[Ernesto+Alvarez]

Apart from all the distribution problems that everybody has been talking about, I'd like to know how you will surmount the problem of creating the pads in the first place.

To fill your 2TB disks you'd need to toss a coin 16000000000000 times (which I don't think you're willing to do) or have some beefy true RNG (hotbits generates 100 bytes/second, you'd have to have it going for 2500 years).

Pseudo random is not good enough, and RC4 would give you a similar result if you used a cryptographically secure PRNG (and much better if your PRNG is not good).

Re:One-time pad

[stdarg]

It's not like you re-use "one-time" pads, so what does your correct guess + xor gain you?

Re:One-time pad

[Sloppy]

In short, OTP is fixing all the things that aren't a problem in the first place.

That is probably the best criticism anyone has brought up.

OTP still belongs in our toolboxes, though. 3DES doesn't solve any problem AES has and RSA doesn't solve any problem D-H has, but you still have 3DES and RSA. What I'm saying is that if you can generate and share the keys easily and securely (and I'm totally convinced that people misunderestimate just how often that isn't a problem) then it has no other downside. I can flip this around

Long story short, if it was practical to use a one time pad it'd also be practical to carry around the fingerprint and a SSH client certificate which has been added to the known hosts on the server.

and say that when I'm copying those keys, I often (not always , I'll admit) could just as easily copy a few gigabytes of OTP. Think about your ssh connection between home/work (assuming you work in an office that you visit every day) or a phone call to your spouse. In such situations, all of OTPs disadvantages would be overcome so trivially, that people would use it if their tools supported it.

Re:One-time pad

[DamnStupidElf]

Modification of plaintext is easy when the attacker knows what the plaintext will be. Since OTPs generally use XOR to combine the plaintext with the key, the attacker only has to XOR the known plaintext with the modification and then XOR that with the Ciphertext:

P = plaintext
K = key
C = P ^ K = ciphertext
N = attacker's desired new text
A = P ^ N = attack string
M = C ^ A = MITM modification by attacker
The recipient decrypts M with K to get: plaintext = M ^ K = (C ^ A) ^ K = ((P ^ K) ^ (P ^ N)) ^ K = (K ^ N) ^ K = N
The attacker has modified the ciphertext stream to inject N into the new decrypted plaintext, knowing only P.

This works on a per character basis, so the attacker just has to know where in the ciphertext stream the known plaintext is.

Re:One-time pad

[DamnStupidElf]

Difficult timing? Just wait for a delay after the initial burst of login traffic, and watch for the 5 characters to come after that as the user types "mail\r". ssh generally sends individual keystrokes as separate packets to the remote host unless they're grouped into one large write on the client side, so it would not be hard to identify sections the user is typing. Even in a completely batched protocol, just observing the packet sizes long enough would allow an attacker to make a good guess about how long the initial exchange is, what the byte offset is, and how long the first command is and whether it's always the same length.

Including checksums in the block does not help the case for OTPs. CRCs will be unchanged if the plaintext modification is divisible by the CRC polynomial. If the entire plaintext is known, the CRC (or any checksum or unkeyed hash function) can just be modified as well. What you would actually need to do is replace the OTP with a one time codebook encoding each possible n-bit message as an (n*2)-bit random code (and using a brand new codebook for every message) so that an attacker would have a 1/(2^n) probability of choosing a different valid ciphertext for any given message, which is the same probability as an attacker guessing the original plaintext and therefore as statistically secure as the OTP (but not provably secure; there is no way to prove that you can prevent all MITM attacks or even prevent data loss).

Re:One-time pad

[dgatwood]

Or you could just make the checksum be a hash of the last dozen or so packets of communication history so that the attacker can no longer practically know the complete plaintext. Alternatively, you could add a randomly-generated piece of data into each packet that provides an additional value to add in during the hashing of the following packet.

Sniffing?

[Microlith]

If you're worried that the possibility someone is going to perform an MITM attack on you is greater than infinitesimal, then there are far more important things for you to worry about than whether or not to leave your SSH sessions connected.

I'd be more concerned about security on the end points, particularly on the Windows XP machine. Not hard, but far more pressing than someone finding you interesting enough to insert themselves into your communication.

Unless you -are-, in which case you should manually perform the key exchange and never actually send the passwords in the first place.

Re:Sniffing?

[ettlz]

If you're worried that the possibility someone is going to perform an MITM attack on you is greater than infinitesimal

...or the DNS cache gets poisoned, as I once saw. (Thankfully, SSH does a reverse lookup as well and checks the result matches the input, and bails if they don't.)

Re:Sniffing?

SSH is protected by a reverse DNS lookup? Phew, I was worried that it only relied on public key cryptography. Reverse DNS lookups seem much more secure.

(I'm shocked that the parent got a +4, even for slashdot)

Re:Sniffing?

[nightfire-unique]

...or the DNS cache gets poisoned, as I once saw. (Thankfully, SSH does a reverse lookup as well and checks the result matches the input, and bails if they don't.)

So long as he's already authenticated the server in the past, DNS poisoning is useless (even aside from reverse DNS validation). The moment he tries to reconnect to the (wrong) host the key check will fail.

Re:Sniffing?

[ettlz]

Yes, SSH is cryptographically secure enough to stop any such attack, and with a verified host-key the machine at the other end of the dodgy lookup can act as little more than an "unauthorised" router. But I wasn't making a statement about SSH's authentication strengths; I think in this case SSH raised the alarm before that, and so coincidentally alerted me that all was not well with the nameserver cache, something I'd so far taken for granted. Had reverse lookups been poisoned as well (how? An attacker would need to intercept my forward queries as well), well, what's an attacker going to do with all that encrypted data?

Re:Sniffing?

[csartanis]

Fail. I use a dynamic DNS service. The reverse lookup of the IP does not match the hostname that I connect to, and SSH does not complain.

The only protection you have is to verify the key fingerprint.

look into shwatchr and screen

[loVolt]

I like screen and shwatchr then you can reconnect to your session and if it's from a unauthorized host it gets the boot!

Re:look into shwatchr and screen

[stefanlasiewski]

Hrm, it appears that the author of shwatchr hasn't updated it since 2001.

I do like Mike Rash ( Cipherdyne.com ) and have used some of his software (psad will analyze my firewall logs using Snort fingerprints, to help determine the type of attack).

But I would hesitate to use any software which has not been updated in nine years.

Always mitigate against the most likely risk

[pthisis]

Is it safer to log out of an SSH session, and re-establish it later, or just keep the connection open?

Breaking the crypto is almost assuredly not the weakest point in your connection. I'd stay connected, since by far the biggest danger is user errors: you accidentally connecting to the wrong serves, ignoring a cert change alert or something else boneheaded.

Assuming you're not using SSH1, the client and server should periodically regenerate session keys, so it's not like you'll be encrypting vast sessions with just one key (not that this is likely to be the biggest point of failure in your system even without re-keying).

Re:Always mitigate against the most likely risk

Yes, it's good advice to stay connected at all times. After all, what if someone powered down your server, installed some hardware bug, then powered it back up?

Re:Always mitigate against the most likely risk

[massysett]

Breaking the crypto is almost assuredly not the weakest point in your connection. I'd stay connected,

You're right about the crypto not being a concern, but I think the bigger danger is that he gets up to go to the bathroom or printer or something and he forgets to lock the client machine. Cert change alerts are hard to ignore, at least with OpenSSH. Logout.

Re:Always mitigate against the most likely risk

[fm6]

I'd stay connected, since by far the biggest danger is user errors: you accidentally connecting to the wrong serves, ignoring a cert change alert or something else boneheaded.

User error isn't merely the biggest danger. If you count social engineering exploits and sloppy procedures as "user error" than user error accounts for almost all exploits. Mathematical exploits are few and far between — "breaking the code" is something that pretty much happens only in bad spy movies.

(And yes, I know how Blechley Park "broke" Enigma. Except Enigma was never broken. Sloppy procedures by Axis radio operators made the code less secure than it should have been. As it was, they needed brilliant mathematics, early computers, and a lot of luck to even read a small portion of Enigma traffic.)

But why is connecting to the wrong machine a security breach? Because you're sending your password to somebody that shouldn't have it? Passwords themselves are poor security — nobody can remember all the passwords they need to use, and the usual methods of recording them (like the post-it attached to the monitor) are horribly insecure. If you're paranoid enough to use SSH, you should be using SSH's public key authentication.

Re:Always mitigate against the most likely risk

[dissy]

If you count social engineering exploits and sloppy procedures as "user error" than user error accounts for almost all exploits. Mathematical exploits are few and far between -- "breaking the code" is something that pretty much happens only in bad spy movies.

Buffer overflow? Underflow? Stack smashing?

None of those exploit vectors require even 'user interaction' let alone could be called 'user error'

I would have to venture a guess that, while probably not anywhere close to the share true user error has, such attack vectors still do have some share none the less.

Re:Always mitigate against the most likely risk

[slimjim8094]

With most SSH implementations, you can't ignore a cert change alert. It's more of a fatal error, at least with every SSH client I've ever used.

When I reinstall a machine (or regenerate a cert due to, say, a stupid upstream bug), it spits out a big nasty error and will not continue until I remove the offending key from known_hosts.

Re:Always mitigate against the most likely risk

[Chryana]

If his computer is not locked, then the game is pretty much over, since someone can install a keylogger on his computer while he's gone. Also, like other posters said, the most dangerous part of the session is the initial setup, when you may mistakenly type your password in the wrong box. I remember sending my ssh password to Yahoo! Mail two or three times myself by mistake :(.

Re:Always mitigate against the most likely risk

[fm6]

OK, I stand corrected. User error or implementation error.

Re:Always mitigate against the most likely risk

[roman_mir]

but I think the bigger danger is that he gets up to go to the bathroom

- yes, that's the biggest danger in the office, when that guy goes to the bathroom.

Re:Always mitigate against the most likely risk

If his computer is not locked, then the game is pretty much over, since someone can install a keylogger on his computer while he's gone.

It doesn't even have to be unlocked. There are small hardware keyboard loggers that are very unlikely to be noticed. Without secure physical access, nothing we're discussing here matters.

Simple

[Kjella]

....if one can be broken, probably the other one too. The chance that the frequency of which you connect matters is <0.001% in my opinion. Either it's secure or it isn't, and either way slashdot won't be able to answer that.

Neither

[nacturation]

Both the persistent connection and the handshake protocol to establish a new connection are completely secure for any practical purpose. If both the server and the client are completely secure, and the connection between them is secure (via strong crypto in ssh) then pick whichever method works best for you.

Catch 22

[SnoopJeDi]

If it's an "insecure link" (which is the whole reason SSH was developed ANYWAY), then ANY connection is technically compromised. You can't just assume one that was established "sometime before" is more secure than a new one now. If you carry your assumptions through consistently, they're both compromised and you should just disconnect.

Re:Catch 22

[musicalmicah]

That sounds a bit absolutist to me. The question was not "which is secure" but rather "which is more secure." One can argue that my home is not secure because locks are easily compromised by someone who knows what they're doing, and one would be right. However, my home is still more secure when I lock the door than when I don't.

Re:Catch 22

[slimjim8094]

I don't think that's the case. I'm pretty sure you can transport the host machine fingerprint to the client, and the public key to the server, and have it impossible to crack the connection without breaking the crypto.

IANACE (crypto expert) but I think the only avenue for MITM is on the *first* connection to the host, where you need to trust that the link is secure enough to not modify the fingerprint. If you don't need to trust that... I think you're safe.

Probably safe

[cl!p]

If the servers and clients are physically safe/locked that is. SSH renegotiates the encryption keys by default when nessesary. So even if an adversary tries to break your keys, he would have to sart over pretty soon.

all of the above

[larry+bagina]

reconnect as needed, but tunnel your ssh over an ssh session which is always active.

Re:all of the above

[moonbender]

Are you crazy? Obviously the two encryptions would cancel out each other!

Re:all of the above

[drachenstern]

So what you`re saying is ... don`t cross the streams?

Re:all of the above

[DarkOx]

So patching my ssh client and server to use rot13 was a bad idea? I figured since everyone else was using AES that it would gain me some security through obscurity.

That being said using and actually good scheme like blowfish would probably not be a bad idea; just so you are different and perhaps your implementation is not vulnerable to the same buffer over flow or stack bug everyone's is.

Re:all of the above

[Ciaran+Power]

Jesus, that's just Wrong.

Re:all of the above

[Dragoniz3r]

OpenSSH indeed supports Blowfish. You can also configure which algorithms it will accept, and which it will indicate preference for in the KEXINIT. That being said, it's silly to assume that Blowfish is less likely to be subject to buffer overflows or stack bugs than AES. AES is (to my knowledge) the most commonly used crypto algorithm for SSH, and likely has more eyes looking at it, etc etc. I also tend to believe that if there were a buffer overflow bug in OpenSSH, we'd know about it.

Re:better question:

All the cool kids are using Reddit nowadays, Digg has dugg its own grave.

Depends...

[Monkeedude1212]

Are they using the interwebs to hack the mainframe, or crack the mainframe? You need to consider if they are after your Datasheets or your Hard-Diskette. Theres so many factors to consider. Perhaps they just want to plant a worm that will grow into a virus which will grow into a trojan, if you don't stop it in its Larval stages. You can use cyber worms and cyber Larva in some advanced Phishing techniques, so don't waste them if you come across them. I suppose the only way to be sure 100% secure is to encrypt your entire house on the molecular level. Before you head off to work, you should arrange each everything into 8 mol groups and hash into some kind of cipher, its the only way to be both virtually and physically secure.

Re:Depends...

[Kozz]

You write for CSI and NUMB3RS, don't you!?

Re:Depends...

[Hurricane78]

Pff. If they get your password it’s still over!
You know. A good hard lead pipe can take care of that. ;)

I recommend having two-factor authentication. With a USB stick that contains a encrypted keyfile. Only the keyfile will decrypt the house.
So if they catch you, destroy you USB stick. and if they get your USB stick, destroy yourself (not the hookers and blow style. more the blow to the head style).

Now they can only get you, if they catch you and your USB stick at the same time, without you being able to destroy it.
So it has to destroy itself automatically, unless you constantly prevent that.

But how to do that, without the enemy also knowing how to prevent that? ;)

Re:Reconnect.

[pthisis]

SSH doesn't use SSL, and SSHv2 has provisions for rekeying even during a single connection.

gnu screen

[laktech]

I find using the screen to manage my many simultaneous SSH sessions extremely helpful. This tool is so useful it's on the same level as Adblock is to Firefox. With this tool, the reconnect/connect issue is a moot point.

Re:gnu screen

[mirix]

dtach is tiny screen-like app, well, it does just the detach portion of it. Handy if you're running it on something pathetic (hacked router, fe.), and don't need all of GNU screen's bells and whistles.

dtach

Neither is "more" secure

[Rantastic]

It is good that you are concerned about security. It is bad that you are asking Slashdot for security advice.

If I told you that it is far more secure to leave your connection open all day, would you take my word for it?

Do some research on the subject. Learn what terms like IND-CPA, IND-CCA, and IND-CCA2 mean and how to evaluate this situation for yourself. In terms of security, blindly following someone's advice is the less secure choice.

Re:Neither is "more" secure

You are contradicting yourself. You give useful advise, and at the same time you say that asking on Slashdot is bad. Or do you mean that your third line is to mislead the submitter?

Re:Neither is "more" secure

[Nezer]

I wish I had mod points. The parent is spot on.

What is effectively "more secure" is dependent on many, many variables that, ideally, should be mindfully evaluated by the end-user in real-time (and this includes accepting user-error as a risk--even the best fuck up on occasion).

Re:Neither is "more" secure

[drinkypoo]

If I told you that it is far more secure to leave your connection open all day, would you take my word for it?

He didn't ask you, he asked Slashdot. If everyone reputable tells him the same thing, he can probably believe it. If he had time to become a security expert, he probably would have. There are of course no certainties in life, but generally speaking, you can trust the experts most of the time. Amusingly enough, many of the experts seem to have plenty of time to read Slashdot, and even post occasionally :)

Re:Neither is "more" secure

[Dragee]

Who says he is blindly following advice? In my experience, asking a large group of experienced people, many of whom are more likely to be more well-versed than I am on the topic, is an extremely valuable research technique. It doesn't mean I'm going to blindly trust whatever I'm told; it means that I have a wealth of new, highly-relevant information with which to make my decision. In this case, slashdot is google on steroids.

Re:Neither is "more" secure

[Rantastic]

If you think Ask Slashdot is an "extremely valuable research technique" remind me to never hire you.

Re:Neither is "more" secure

[Dragee]

Don't worry. You've just demonstrated that you're a person I wouldn't want to work for, anyway.

One Way to Prevent Session Hijacking

[blitzkrieg3]

Intuitively, longer sessions can lead to session hijacking. This implies that it's safer to reconnect. I'm sure ssh has some way to prevent session hijacking though.

Re:One Way to Prevent Session Hijacking

[Vairon]

The ask slashdot article is about SSH NOT SSL. Session hijacking has nothing to do with SSH.

Re:One Way to Prevent Session Hijacking

[jonaskoelker]

I'm sure ssh has some way to prevent session hijacking though.

Yes, it has. It does cryptography.

Here's the long and short of session hijacking: when you connect to (say) facebook and type in your username and password, facebook issues you a one-time "username"---something which identifies your real username---with no associated password (or, if you will, the username is the password).

Whenever you ask for a facebook page, you send that one-time username in the clear. Anyone who snoops your connection can read that username and reuse it to impersonate you.

If the sending of the one-time username was encrypted, this wouldn't be possible. Like Jeff (Mr. coding horror) says, use HTTPS.

SSH encrypts everything that's sent.

(Oh, and don't listen to Jeff about computer science; a recent stackoverflow podcast made it painfully clear he doesn't know the first thing about automata and language theory. He may be a great programming craftsman and/or businessman, but I find his lack of faith^Wtheoretical knowledge disturbing.)

You say either, I say either...

[slushdork]

It doesn't matter either way. Barring some unknown bug in the SSH implementations (or, even more unlikely, the underlying SSH 2 protocol, or, yet even more unlikely, the under-underlying encryption mechanisms), you can stay logged in or keep re-loging in - both methods should provide no information to an attacker.

Even if there were unknown bugs, you still wouldn't be able to decide: staying logged in gives the attacker more encrypted material to analyze from the same session & keys. Re-loging in every 10 minutes gives them more handshake data.

By the way, I hope that hosts.allow is not the only way you're protecting your servers from the "big bad internet"...

Re:You say either, I say either...

[mindstrm]

assuming the ssh session is the target - they don't need to break the encryption, they only need to get access to the windows box with putty running on it - which is a heck of a lot more likely than cracking SSH.

How safe is your box?

[gmuslera]

If you assume that the remote server is safe, and the communication is safe, then the risk could be at your own box.
Forgetting to set even a screensaver with password in a place where are more people (i.e. kids, or in an office ) or even not people (dont think a cat could hit rm -rf, but is your server, not mine) could make a difference in that question. Could be also an hypotetical risk of some rogue app/trojan (?) sending events to the window that have the ssh session too, but odds are somewhat low.

Re:How safe is your box?

Agreed, I find the nut attached to the keyboard is the biggest security risk.

Re:How safe is your box?

[wolftone]

Is it bad that I've remapped the Caps Lock key to send rm -rf?

Re:How safe is your box?

[barberousse]

A cat might not be able to do rm -rf but I heard of a ferret able to press the delete key and the enter on a Windows box. The recycled bin saved the day but the fact is a ferret was able to delete a file by running on a keyboard.

Key Fingerprint

[phantomcircuit]

the only thing that is important is that you verify the public key fingerprint presented by your server to prevent MITM attacks. Aside from that there is absolutely no reason to believe the ssh protocol itself has been broken.

Re:Key Fingerprint

[mxs]

Other than general paranoia, of course. There is no reason to assume it has not been broken, either -- just anecdotal evidence ! :P

Depends where you're connecting from

[bram]

If you're connecting with putty it implies starting of from a risky platform.

Otherwise it wouldn't make a big difference.
With enough resources session keys can probably be replayed either way.

I have a solution

[signingis]

Go outside.

Re:I have a solution

[macintard]

Glad to see I got somebody's panties in a bunch.

Re:I have a solution

[rastos1]

Go outside.

Don't. You are likely to be eaten by a grue.

Re:I have a solution

Are you suggesting that we should become that which we hate - mundane people who ignore all security protocols? It's not worth it, man.

Or...

[DRAGONWEEZEL]

When you cross the two encryption streams you may get total protonic reversal, or you may get 1 REALLY POWERFUL STREAM.

Re:Or...

[L4t3r4lu5]

Look, everybody who grew up in the 80's knows that you never, ever cross the streams.

Don't leave your computer turned on.

[Medievalist]

"Is it safer to log out of an SSH session, and re-establish it later, or just keep the connection open?

It's safer to log out and re-establish. UNLESS you are subverting host key verification - just clicking past the big warning sign that OpenSSH throws up when it sees an unknown host key - in which case you certainly can get MITM'd. Keep copies of your public (not private!) host keys on a thumb drive for use the first time you connect from an outside box.

Like many of you, I use OpenSSH to connect to my Slackware Linux boxes remotely from Linux and WinXP (putty.exe) clients. At home and at work, I wonder if it would be safer to just leave the connection open (my clients are physically secured, the servers limit connections with hosts.allow). Is it more secure to re-establish the connection over an insecure link (big bad internet) where people can sniff that handshaking, or is it more secure to just remain connected? I connect 1 to 4 times per day, most days."

I believe the "handshake" is a diffie-hellman key exchange. It can't be sniffed and cracked in realtime. On the other claw, I suppose it's theoretically possible that if you leave the connection open long enough, a determined attacker with titanic resources can brute your session key. In reality, I personally don't think that will ever happen to you, it'd be cheaper for anyone with those kind of resources to use the $5 wrench upside your head method.

Here's something to consider: If your computer is turned off, it's not being hacked. If your computer is turned off, it's not getting a virus. If your computer is turned off, nobody is sniffing your packets. If your computer is turned off, lightning isn't blowing through the ground line of your UPS like a knife through butter and turning your motherboard into a campfire. If your computer is turned off, a jealous colleague is not sneaking into your office and using it without leaving a login record. If your computer is turned off, it's not part of a botnet. If your computer is turned off, it is immune to zero-day exploits that are absolutely unstoppable by any other means.

The most secure computer is turned off. Any time you don't need your computer to be turned on, just turn it off. If everyone did this, we'd save millions of dollars (and hopefully, cut off some funding to energy suppliers who hate us).

Re:Don't leave your computer turned on.

[gregben]

If your computer is turned off, lightning isn't blowing through the ground line of your UPS like a knife through butter and turning your motherboard into a campfire.

No. The easy, safe, way to protect against lightning strikes is to turn off and unplug the computer so there is no conductive path into it.

Re:Don't leave your computer turned on.

[zippthorne]

You can just click through that? There's an easier way than going into .ssh/known_keys and deleting the offending line?

I thought it was like that to force you to think about why the host you're connecting with might be presenting you with a new key...

Re:Don't leave your computer turned on.

[JustNiz]

I also bury my computer in the yard after every time I'm done using it, so that its safe from nukular war.

Re:Don't leave your computer turned on.

[Medievalist]

Maybe I shouldn't tell you that you can modify your configuration so that... nah, I'm not telling.

But my comment was meant to apply to the situation where you're connecting to a host from a client that has never connected before. OpenSSH will say
The authenticity of host blablahblah can't be established.
RSA key fingerprint is numbertynumbernumnum.
Are you sure you want to continue connecting (yes/no)?

If you say "yes" it adds the key to your known_hosts file, this is where you can get MITM'd. Sorry I wasn't more precise; thanks for pointing it out.

Yeah, if the host key changes and you don't know a good reason for it, you'd be a fool to connect. Thus you should have to edit known_hosts manually.

Re:Don't leave your computer turned on.

If your computer is turned off, lightning isn't blowing through the ground line of your UPS like a knife through butter and turning your motherboard into a campfire.

Actually nothing short of unplugging it will prevent that. But the odds are pretty small.

Re:Don't leave your computer turned on.

See, the first thing you need to understand is that tere is no computer.

Re:Don't leave your computer turned on.

Correction: Having a computer turned off does NOT protect it from lightening strikes. I've seen a blackened radio and fried electronics from a lightening strike that hit just outside a house. Only unplugging it will give it full lightening protection.

Re:Reconnect.

[fusiongyro]

You're right, but they do both use Diffie-Hellman for key exchange, so the security implications of setting up the connection are similar.

Ah, the feared ROT13 cypher?

[rsborg]

Are you crazy? Obviously the two encryptions would cancel out each other!

Yes, you are correct, but you may want to upgrade from ROT-13 to ROT-26.

Re:Ah, the feared ROT13 cypher?

[_Sprocket_]

That's the same encryption I use on my luggage!

Re:Ah, the feared ROT13 cypher?

[cynyr]

or you know skip ROT26, and use either my "Quad ROT-13" cypher(see sig) or ROT-56 or ROT-112.

keep alive of course, just in case you get fired

keep alive of course, just in case you get fired

they might change passwords, regenerate keys, restarts sshd, but by default sshd does not drop existing connections ;-)

so, when when you get home, all depressed, you sit down in front of your computer, the screen comes on, and you go "hey, I am still logged in"

then with a smirk on your face, you can still go to work

next few days when they call you that you are hired back, send them your consulting rate (3-4X your regular salary)

dont you read BOFH to know this?

Re:See, I made a new word

[MRe_nl]

LMGT4U;
http://www.google.nl/search?q=overworrying&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:nl:official&client=firefox-a

In your situation

[mindstrm]

Reconnect. Leaving the sessions constantly open means if your workstation is compromised, you may have compromised the servers as well.... at least you've increased the risk profile of the servers.

Connect as needed - use proper key management and passwords, etc.

Boring...

[brundlefly]

This is exactly the sort of question that Stack Overflow was created for....

Re:Reconnect.

Not really, SSL and SSH uses the DH handshake differently. SSL performs all sort of craziness where you select different chipers, sizes and wheter to encrypt at all. SSH does not.

Restarting makes traffic analysis a little easier.

[dweller_below]

I do IT Security for a university. One of my projects is to do some rudimentary traffic analysis of our SSH sessions.

I look for the negotiation between SSH server and client and log connections. Since the negotiation is port independent, I can log the start of SSH sessions, no matter what port they are on. This allows me to:

1) Notice if important systems have sprung a new SSH backdoor.
2) Notice if important systems are SSH'ing out to weird places.
3) Check with local sys-admins and say things like: 'Looks like the Chinese have found your supersecret SSH port. Again. You have proved that TCP/222 and TCP/2222 are not good choices. Maybe this time you want to borrow my HexDice?'

Anywho, my rudimentary traffic analysis can be defeated if you change the SSH negotiation. It can be hindered if you just leave the connections running for days at a time.

So, if you want to annoy people like me, you may want to leave the connections up.

Miles

The vulnerability is in the endpoints

The tunnel can be considered safe, regardless of whether you reconnect often, or leave it connected. The attack target worth considering in this case is the tunnel endpoints. Consider that your box is owned and the remote box is not. The remote box can only be tampered with while the tunnel is established, so leaving the ssh session active leaves you more vulnerable. (This is only valid if establishing the tunnel requires three-factor-authentication, such that the attacker can't reestablish the tunnel at will.)

Like many of us ...

[Lemming+Mark]

Like many of you, I use OpenSSH to connect to my Slackware Linux boxes remotely

If many of us are connecting to your Slackware boxes, reconnecting is not your largest vulnerability!

(sorry, couldn't resist)

Better to disconnect

[Raul+Acevedo]

Unless you lock your desktop every single time you get up and walk away from your desk, it's better to generally disconnect, because you lessen the (admittedly very small odds) that someone else will simply walk up to your workstation, and either out of malice, curiosity or just mistake (they think you are logged in someplace it's ok for them to poke around), they end up accessing your remote session.

It may also look suspicious to sysadmins that you keep sessions alive for so long.

Is it possible for a Windows admin to poke around your desktop, remotely, without your knowledge? I believe they normally have to make a request that you accept before you hand over control of your desktop to a Windows admin, but I don't know if Windows (or other corporate monitoring software) allows this to happen without your knowledge.

Re:Better to disconnect

[gparent]

Is it possible for a Windows admin to poke around your desktop, remotely, without your knowledge? I believe they normally have to make a request that you accept before you hand over control of your desktop to a Windows admin, but I don't know if Windows (or other corporate monitoring software) allows this to happen without your knowledge.

Remote desktop takes control of the session, so you're locked out, they don't access your session. Now obviously some monitoring software out there is going to have a "stealth" mode, but that has nothing to do with Windows, it could happen on any OS.

Re:Better to disconnect

[Raul+Acevedo]

I didn't really mean remote desktop; I meant more "session sharing", though my point is not the standard session sharing someone will request if you're asking an admin for Windows help.

Yes, a stealth program installed by your employer could happen on any OS. My point is not that this is a Windows problem, but that such software has more opportunity to observe what you've been doing remotely if you leave sessions open all the time.

Re:Better to disconnect

[mysidia]

The short of it is you need to be the only Administrator of your workstation, in order to really have a connection to the Unix servers that you can verify the security of. You are most "secure" with a standalone workstation, having Windows Firewall enabled, no exceptions enabled, no domain membership, forceGuest set to on, and passwords required for all local access.

If your organization requires security of the servers, then ensuring no untrusted admin has the technical ability to screw with workstations is critical.

Just because a naive Windows admin doesn't have a simple way of shadowing your session, doesn't mean it is at all hard.

One group policy setting to deploy "compliance software" such as 3AMI/MAS Employee Monitoring Software, with keylogging enabled, and.. suddenly your SSH sessions and passwords aren't so secure... Oh, that's just the legal route. Of course, "trojans" or some $5 keylogger can be deployed too, from a system management console, and configured via enforced registry settings.

If you have software installed by someone else, OR someone else has a valid login to your workstation, OR your computer is a member of a Windows domain, then someone else can run software on your computer, and they can also change the configuration to enable them to shadow your session.

And yes, most shrink-wrapped management software provide a way to do this. Typically, the technology used is VNC, TightVNC, or UltraVNC.

There are also some commercial software (remote access) products that do this.

Most management software allow the running of arbitrary remote programs. It is trivial to deploy registry settings and software via group policy or remote IPC access, from a domain computer.

Tools included with Windows Server and available through SYSINTERNALs allow this without buying any management suite.

But DameWare, Hyena SystemTools, Purgos, ScriptLogic, LANRev, ZENWorks, IBM Director, all provide point-and-click interfaces to do this sort of thing.

The management software itself may provide a simple "one-click link" to quietly shadow your session.

Re:Better to disconnect

[mysidia]

Addendum: embarrassed that I mentioned UltraVNC without also mentioning Timbuktu can be made to do this.

VNC normally displays a little icon in the taskbar, but a simple registry setting pushed via login script or group policy can hide it.

It can also be easily hidden in task manager/process viewer, through other methods, I won't mention, because they are easily abusable tricks I don't wish to encourage, not documented anywhere, and relatively unknown to most developers and to the community. But also not hard to figure out: so, you don't need other people having access to your computer if you want anything close to a security guarantee, you must fully and properly administer and secure your workstations yourself (or have someone trusted due that, without lending access to a large population of admins via domain or central management).

Re:Better to disconnect

[gparent]

That's a nice massive post and all, but I'm pretty sure the guy who asked the question understands that. I was just answering the poster above who seemed to imply remote desktop somehow made Windows machines more vulnerable to session hijacking.

You'd have to be braindead to not realize that with admin powers, people can *gasp* perform administrative tasks on your computer, such as installing spying software.

Re:Better to disconnect

[mysidia]

Then why did he say:

It may also look suspicious to sysadmins that you keep sessions alive for so long.

Is it possible for a Windows admin to poke around your desktop, remotely, without your knowledge?

Of course, the answer is yes.

Also, if you yourself use the Remote Desktop protocol, in some scenarios it is not as secure as SSH.

Remote Desktop connections are encrypted, of course, but there are two problems:

• In the default configuration, the RSA private key used to sign the terminal server public key used is hard coded into a DLL, and well-known.
• Most people don't know or don't bother to configure RDP properly for TLS security
• The windows password is trivially intercepted as it is being typed

In other words, if you use RDP, and have not gone to substantial lengths to secure against MiTM attack, then if you yourself use RDP, it will be much less secure than the typical SSH setup (where each server has its own host key, and the client has memorized or been populated with the correct ones).

Re:Better to disconnect

[gparent]

Is it possible for a Windows admin to poke around your desktop, remotely, without your knowledge?

Did not see this.

Re:Restarting makes traffic analysis a little easi

[h4rr4r]

Here is a better idea, do not open ssh to the world. Make them vpn in first, then ssh. Security in layers.

Re:Restarting makes traffic analysis a little easi

[zippthorne]

That's a maddeningly recursive solution...

However...

[Junta]

That has no bearing on comparing logout/login vs. staying logged in. Yes, the very very first handshake can be bad (there are methods to mitigate, but that's beyond the scope of this discussion), but once you establish that trust, logging out does not break it.

Very simple consideration

[ls671]

If you log in typing in a password, it might be easier for somebody to get your password by looking over your shoulder, installing a camera in your premises or use a keyboard sniffer. In the case of password authentication, every time you log in is a weak point.

 

Re:Very simple consideration

[philosiphus]

That is a good point: timothy did not specify whether his authentication was based on password or key. Password-based authentication is more susceptible to brute-force attacks on weak passwords.

Timothy, if you are you are using password (keyboard-based) authentication you should stop, now. The number of times you log in should not matter nearly as much as your authentication method and OpenSSH version. If you are using key-based authentication with OpenSSH > 2.3 (hmac-md5 instead of hmac-sha1) you should be o.k..

monkeysphere

[Jubilex]

The authenticity of host 'ssh.example.com (123.234.123.234)' can't be established.

RSA key fingerprint is 96:21:c3:32:3d:cc:18:d5:53:6a:d4:0d:0d:73:c6:1a.

Are you sure you want to continue connecting (yes/no)?

This initial message is what Monkeysphere is designed to fix.

Monkeysphere distributes GPG-signed SSH host keys. If you have the admin's trusted public key, and they sign their hosts' keys, you can trust the host key even if you haven't connected to it before.

http://web.monkeysphere.info/

Exposure window. A real issue to consider

[suso]

Other than looking at the protocol itself, there is one other thing to consider that may raise the stakes more than someone's ability to crack SSH or not. By keeping yourself logged in and using a keep alive option such as TCPKeepAlive, you are further exposing your existence. If someone was listening at a router or something and wanted to find interesting hosts to break into, you're opening a larger window for discovery by leaving your session logged into 24x7. The fact that you're using SSH would tell someone that you have shell accounts in different places, which is most definitely interesting to hackers.

Re:Restarting makes traffic analysis a little easi

[argent]

VPNs are somewhat easier for compromised systems to exploit, since the new endpoint shows up as a new interface... they don't have to go through the modest trouble of exploiting the SSH connection by compromising the executable, they can just run their attacks on internal systems directly through the VPN... the surface area for attack is larger.

On the other hand, if they HAVE compromised the SSH executable, having it wrapped in a VPN isn't going to add much (if any) additional safety.

So all in all, unless you're a true bastard and the VPN is terminated in a DMZ that only has the SSH servers visible (and if so, bravo to you), VPN (with or without SSH) is probably a net loss in security.

Depends on where you work.

[Ungrounded+Lightning]

If there is someone powerful enough to break those systems *and* keep the discovery secret, they're waaay above the league where they'd be interested in your SSH connections. That is, unless you work for the military of a major world power and are known to be transmitting valuable intel.

Or if you work for a hi-tech company with, say, technology that China (for example) wants badly enough to put their version of the NSA to work cracking you and then handing the company's designs to (for example) Huawei.

The company I work for would qualify.

The problem with the tunnel is that it can turn a successful attack on one end into a successful attack on the other. Taking it down when not using it reduces the window of exploitable time. (Which probably still doesn't make a lot of difference for attackers of major-power-intelligence-community level, so never mind. B-) )

Re:Depends on where you work.

[Rophuine]

To further reinforce this point, in additional to longer compromise windows, you have larger quantities of data encrypted under the one session key. A primary component of encryption is key rotation, and the longer you leave your session open, the more historical data available to be compromised through the breaking of a single key. On the off-chance your opponent potentially has access to massive computing power (otherwise, why would you even be worried in the first place?), you're better to be rotating your session key regularly: thus, sign out.

Re:Depends on where you work.

[psmears]

you're better to be rotating your session key regularly: thus, sign out.

Doesn't ssh (v2 anyway) renegotiate the session key automatically after a certain amount of data is sent? Check out the "RekeyLimit" option in the OpenSSH ssh_config man page...

Re:Depends on where you work.

[Rophuine]

Yes, v2 only. Then again, if you're relying on v1 for security, you're doing it wrong.

RekeyLimit Specifies the maximum amount of data that may be transmitted before the session key is renegotiated. The argument is the number of bytes, with an optional suffix of 'K', 'M', or 'G' to indicate Kilobytes, Megabytes, or Gigabytes, respectively. The default is between '1G' and '4G', depending on the cipher. This option applies to protocol version 2 only.

4G is a LOT of data to have compromised. Thus, sign out (or change your rekey limit, if your client supports it).

Actually, even if I set it to 1% of the lowest default, it would take a great deal of terminal traffic to force a renegotiation. Given the additional attack vector you introduce to the server (just compromise the always-connected client), and the fact that you're telling everyone between your client and the server about this vector with your traffic... You have a great point, but my advice stands. Sign out.

risk assessment

Assuming there is no publically known exploit, the only other risk assessable item is a theoretical unpublished exploit against the protocol. Without any evidence to support the key-exchange being the weak point, it must then be considered that any point in the system could be weak.

If the initial one-off exchanges are exploitable, then you should minimise connections to minimise the number of theoretically exploitable packets.
If the on-going packets are exploitable, then you should minimise total amount of packets set over time, by minimising packets set over time.

Since leaving a session running sends more packets overall ( keep alives, etc ) , it would make sense to terminate your connections unless doing it frequently. the mathemeticians out there can determine the precise number of packets in a session initialisiation, and in the keepalives, and determine the official "point of minimum packet use".

Just remember this: you can't get hacked if you are not connected.

Jesus Fucking Christ

No way in Hell I use WinXP. Fuck That.

GNU Screen

[jamesswift]

For search engine friendliness its best to call it by it's full name, GNU Screen.

OK, I grant that you did say "theoretically", but

[Medievalist]

If the DH key negotiation is compromised, then the attacker may be able to passively sniff the keys and all the data that follows.

If somebody manages to crack DHE this guy's home server security will be the least of our problems. The algorithm is pretty straightforward.

tag: youarentthatimportant - WTF?

[wvmarle]

Come on people what is this? Tagging such a story where someone asks about some security where some obscure attack may be possible and then tagging it "you aren't that important"?!

This is the same messageboard that wants https for everything, even for this board.

This is the same board that seems to hold privacy above all.

And on top of it, it is full of nerds that tend to love to go into this kind of obscure detail.

And then tag it "you aren't that important" implying "what are you worried about", or with a little further stretch "you have nothing to hide, so don't bother". This is quite ridiculous.

To me I am the most important person in the world, and I would like to live safe and secure. The poster is likely the most important person to himself, and he also wishes to live safe and secure. I wouldn't go as far as poster does, but that's besides the point. He does want to go this far, and has a genuine question that many may consider over the top for personal security but which may have consequences for entities that are under constant attack, where any minute attack vector may mean the difference between safe and 0wned.

"youarentthatimportant" is the worst tag I have ever seen. It's denigrating at best. It's stupid, and shows lack of respect for other people. I may hope this was intended as a joke and a joke alone.

Re:tag: youarentthatimportant - WTF?

[BitZtream]

This is the same messageboard that wants https for everything, even for this board.

Really? My url shows http:/// for slashdot.

And on top of it, it is full of nerds that tend to love to go into this kind of obscure detail.

Which is why it has multiple tags, not one. Its also why there are a bunch of posts to this story stating/arguing/comparing the various features and possible ways that it might go bad. The tag didn't change anything from happening, it just provides additional, potentially useful metadata for the future.

The metadata is human provided and human re-enforced metadata that even when its wrong, almost always turns out more useful than anything machine generated. People often search for the wrong then only to be educated along the way as to what they really should be looking to find. 'bad' meta data like this has helped me find more on search engines than anything else, when a tag shows on the front page its because its popular with the people viewing the content, meaning that if I'm looking for that type of content, I'm more likely to use that term (maybe not in this specific case I'll admit) for my search, even though it is clearly incorrect for what I'm looking for.

The art of searching, with the help of metadata is more often than you would imagine facilitated by 'incorrect' or 'bad', plain and simple. This particular bit is entirely unlikely to hurt anyones search anyway.

I know I've searched for 'aren't that important' and 'isn't important' in direct relation to cryptography, this tag may actually have helped me.

And then tag it "you aren't that important" implying "what are you worried about", or with a little further stretch "you have nothing to hide, so don't bother". This is quite ridiculous.

It implies a 'from a practical standpoint, it doesn't matter what you do'. He isn't that important, if he was, he wouldn't be asking. Yes, thats an annoying way to look at it, but thats reality. Now he may be asking for purely informative reasons, in which case, everyone is still giving him the answer, so the tag doesn't matter.

It's denigrating at best.

I guess I'm stupid, but what? Okay, so I looked it up, but really, are you going out of your way to use rarely used words?

It's stupid, and shows lack of respect for other people.

Yes, calling someone stupid and disrespectful for being stupid and disrespectful makes perfect sense, you are truely my hero.

I'm all for calling people stupid, retarded, not that important or whatever when the shoe fits, but in most cases (and I'm making an exception here) I try not to do the exact same thing as the guy I'm calling stupid WHILE I'm calling him stupid. I like you though, so ... god your post was stupid.

Re:OK, I grant that you did say "theoretically", b

[mysidia]

They don't have to crack DHE in general, all they need to crack is diffie-hellman-group1-sha1.

Since a fixed DH group is used, this could be attacked through precomputing many values for the discrete logarithm.

If the key negotiation happens to fall into one of the precomputed values, then that session is in trouble.

VPN/Tunnel

[inhuman_4]

If you are really worried about having an insecure link you could try creating a tunnel or VPN between the two machines. These can be long term connections setup indefinitely and have provide their own layer of security. Then just make sure you SSH through the VPN/Tunnel to get back to the server. This will protect your hand shaking between the two systems.

Also be sure to have you private/public keys setup. For ease of use they do not need to have a password (although they can), which is handy for using scp.

However this seems like overkill to me. I am in a similar situation where I SSH home, but because I am a small time home user I find the security provided by SSH and private/public key encryption good enough for me.

Re:VPN/Tunnel

[1s44c]

If you are really worried about having an insecure link you could try creating a tunnel or VPN between the two machines. These can be long term connections setup indefinitely and have provide their own layer of security. Then just make sure you SSH through the VPN/Tunnel to get back to the server. This will protect your hand shaking between the two systems.

Protect your ssh handshaking from what exactly? This is a pointless step that will reduce bandwidth without adding any extra security.

Also be sure to have you private/public keys setup. For ease of use they do not need to have a password (although they can), which is handy for using scp.

Or why not just use password authentication and write the password on a post it? This guy wants to increase his security not waste CPU cycles and bandwidth and not reduce his security.

There is no answer..

[invalid216]

In my opinion there is no answer to this question. Both scenarios are subject to an equal amount of risk. The most important thing is securing the workstation itself. If done properly, the risks of staying connected or re-connecting are self-canceling. Do what is most convenient for you, just make sure your workstation is as secure as it can be.

Re:See, I made a new word

[gnapster]

...google.nl/...

But that's in Dutch. He meant a new word in English.

Re:better question:

now if only kevin rose were to fall in that grave :(

Re:Restarting makes traffic analysis a little easi

Davis

I would say

that stay connected is more secure that start connection again. Why is that? Well in any case when you initiate a connection then you do several things (DH) and also... stay connected. And well then there are more points were things could fail. If you stay connected too long and for example you are using blowfish and transfer more than 2^64 bytes (2^128 for AES) there is an attack that abuses that. Anyway you are unlikely to transfer that much and the connect/reconnect security should be high enough to not worry about that kind of stuff.

i would say

that stay connected is more secure than start connection again. Why is that? Well in any case when you initiate a connection then you do several things (DH) and also... stay connected. And well then there are more points were things could fail. If you stay connected too long and for example you are using blowfish and transfer more than 2^64 bytes (2^128 for AES) there is an attack that abuses that. Anyway you are unlikely to transfer that much and the connect/reconnect security should be high enough to not worry about that kind of stuff.

More info?

[Wovel]

How could anyone really answer your question without knowing the value of the servers you are logged into? If the servers you are connecting to are in a secured bunker and you are leaving the connection open from your house while your not there and the data is something valuable enough for some to break into your house.. Well then no, you should not leave the session logged in. In general it is a bad idea to leave a connection you are not using logged in. If you are locking your workstation (you did not say), than maybe it is still ok.

Keep strict host key checking on and just log out when you are not using the box. If the key changes and your not expecting it, either someone has already broken into your server, your DNS server (on either end), or it is time to talk to the isps on the endpoints and find out which one is out to get you. The "big bad" Internet is the least likely place for you to have a security problem, it is simply too unpredictable.

Re:OK, I grant that you did say "theoretically", b

[Medievalist]

They don't have to crack DHE in general, all they need to crack is diffie-hellman-group1-sha1.

Nah, the original question says the guy is using puTTY and OpenSSH. They both implement RFC4419.

One-time pad purveyors ...

[taniwha]

we already have a great structure for the distribution of OTPs .... trillions and trillions of bits distributed around the world. We call them record stores - by the same CDs, rip them and use the LSBs

Solving the wrong problem.

[1s44c]

I use OpenSSH to connect to my Slackware Linux boxes remotely from Linux and WinXP (putty.exe) clients.

You are fixing a non-problem. You should be fixing the weakest point of attack first, that being the windows machine you are connecting from.

Re:Restarting makes traffic analysis a little easi

[1s44c]

Here is a better idea, do not open ssh to the world. Make them vpn in first, then ssh. Security in layers.

There is little to no additional security in that. The problem isn't getting cracked from the network it's getting cracked on your client machine.

Keep SSH connected.

SSH exchanges new session keys ones in a while (every hour?). So you are no more at risk just cause you keep connected.
Program that figures out session keys, need a lot of network packages. The less you send (during the use of one session key) the less they can get.

Private/Public key is not unsecure and the handshake is safe. No one will hijack you connection if you are careful about how you distribute your keys.
*Do not only use Password Login, if you want to be secure*
*Do not have a guessable password on the server you want to connect to*
*If possible turn off SSH password login on server*
It is possible to dictionary hack a password, SSH or not.

Connect fewer times also means that you are less exposed to SSH errors in the login procedure (think: Root user replaces SSHD).
You also expose your KeyStore password lesser times on your own side.

For starters, can putty

[gujo-odori]

Not that there's anything wrong with putty per se (AFAIK), but the underlying platform is a concern. Sure, putty will send everything over SSH back to your Linux boxes at home, but there is more than a little malware these days that logs your keystrokes, something against which SSH cannot protect you. I would only log into the home machines from your Linux machine at work, and even then only if root belongs to you. It's unlikely your employer would be using keystroke loggers, but they could; it's not illegal if they tell you, and maybe not even if they don't. The usual boilerplate in network access policies could be interpreted to mean everything from log scanning for anomalous activity to recording everything you do.

Next, set up public/private key login and don't allow password login. I do this even within my internal network, and there are no Windows machines on it. At work, where Mac, BSD, and Linux are the majority of the boxes, of course I do it too. Those boxes may be fairly secure and there aren't a lot of Windows boxes on my part of the network, but not trusting any box you don't control is a good idea.

As far as the connection duration, I'd leave them up all the time unless there is some other operational need not to.

said a different way...

[Youngbull]

"Is it safer to stay in the car, or is it safe to go outside? Like many of you, I use a car to go to work and whatnot. At home and at work, I wonder if it would be safer to just stay in the car then going outside. Is it more secure to lock my car with a key (big bad parking lot) where people can come up and steal my keys, or is it more secure to just remain in the car? I use my car 1 to 4 times per day, most days." On a serious note; when you have used so much time to secure your connection why not used now and then.

getting your name on /.

Seriously, is this really a question or just wasting everyones time. I *know* you want to get your name on slashdot but at least come up with something constructive to ask.

In other news, I just had a shit, is it safer to wipe or air dry??

NONSENSE

[BugHappy]

"Is it more secure to re-establish the connection or to just remain connected? I connect 1 to 4 times per day, most days."

Since you make new connections on a regulary basis the question does not makes sense: either way, your encryption keys are likely to be known in advance by your opponents (even before you start a new connection). If you have anything worth being protected, start questionning yourself about the very simple steps you are following to transmit your data (and where it made sense for opponents to dig into).

Why hosts.allow?

[Bert64]

Why use hosts.allow? isn't that a rather old and crufty way of doing it...
How about using iptables rules to allow certain hosts instead, that way someone who isn't authorised to connect won't even see the ssh service port open and won't be able to cause load on your machine by repeatedly trying to connect.

Edumacation

[Fizzl]

Read the big red book "Applied Cryptography: Protocols, Algorithms, and Source Code in C". http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099/ref=sr_1_1?ie=UTF8&s=books&qid=1265363727&sr=8-1 Highly recommended to anyone who uses public key encryption or needs to implement VPN's, mail encryption or tunnels.

In essence, no it doesn't make any difference. However, if for example you application would communicate short commands often through public key encryption it would be more economical to use persistent connections instead of making new connections all the time. Key generation is Expensive.

Also, in you situation, just use screen.

How in the hell does retarded 'ask slashdots' make the front page, but not my submission of http://itpomminpurkaja.blogspot.com/2010/02/css-anchor-pseudo-class-concerns.html and http://www.fizzl.net/ for which I actually expended some effort to create.

Re:Edumacation

[EvilIdler]

Did you really think this was retarded? I didn't think it was retarded. Besides, as probably 50 other posters have pointed out, this had nothing to do with screen or not to screen a program! In fact, your reply could be construed as retarded.

Re:Edumacation

[Fizzl]

Well, as a on-native speaker I tend to use stronger words than I actually mean. Perhaps "useless", "worthless" or "pointless" would be closer to what I had in mind. I'm just so bloody frustrated by the quality of discussion in /. nowadays.

In fact, your reply could be construed as retarded.

Don't waste your :word:s. Simple "NO U" will do. My post first gave a concise answer to the question asked and only after that attacked the inanity of the original "article".

Here's a car analogy: If there was a /. for car mechanics, wouldn't many of the experienced mechanics be annoyed by a post asking something trivial which should be obvious to even the common operator of a vehicle? "Hi, there's a yellow "check engine" light on in my dashboard? What should I do?"

use vpn and ssh over the vpn

I run a Gnu Virtual Private Ethernet and change the host keys every 2 weeks. And 90% of my ssh sessions go over the VPN.
For access outside of my vpn I run ssh on non standard port and change that regularly too.
Also you may opt not to use password authentication for ssh.

Re:Reconnect.

It does use the OpenSSL library for crypto implementation, which is maybe why the GP is confused, but as you rightly say it does not use the SSL protocol.

Man-in-the-middle?

[Roger+W+Moore]

You seem to have concentrated entirely on breaking the encryption. However, if we assume that this is hard to do (which your post seems to indicate) doesn't continuously making new connections put you more at risk of a man-in-the-middle attack whereas an already established connection cannot be interfered with in this way without first breaking the encryption?

Re:Man-in-the-middle?

[MoralHazard]

Your concerns are irrelevant, here. SSH fingerprints make man-in-the-middle attacks effectively impossible, as long as the user doesn't habitually ignore the (rather obvious) messages and errors when keys change. I don't know about you, but I have a hard time glossing over a message like "KEY CHANGED--SOMEBODY COULD BE TRYING TO BREAK IN!" and the subsequent error.

The initial "unknown key" error message isn't quite as loud, and lots of people don't bother validating key fingerprints, but that doesn't matter because initial connections aren't the scenario we're discussing, here. Whether the use decides to make new connections or keep existing ones open, he's already approved the key fingerprints during a previous connection.

One-time pads: the caveats

[LinuxParanoid]

I've been thinking this same thing (using USB keys for a OTP, and "why don't we do that?") for a couple years now, but 10 minutes after reading your post, the following problems/"considerations" with the USB OTP approach did start to enter my mind:

1) I can see that with a big 2TB pad, you'd also want/need to cycle through pads... the longer you keep the same pad without destroying it, the more data an attacker can get with rubber-hose cryptography if they recover your pad... by coming to your(or his/her) house with a gun and ripping the USB key off your neck. Or seizing it when you/they travel.

2) Also, the other trouble I can forsee with OTPs is that you need one of them for each person you need to communicate with securely. Typically if you are doing something needing this security, you are not doing it with just one other person... you also need to communicate with multiple parties. Once you have 5-10 parties to communicate securely with, the OTP can get a little cumbersome. Carrying around 5-10 USB keys and keeping them straight? And I can't envision it working with 200+ counterparties (a USB-OTP-for-the-web scenario). If you partition your 1TB USB into, say, 10 parts, one for each counterparty, you still have problems. You still need to get 1/10th of that USB key to each of the other parties without giving them the other 9/10ths of the key. (Or your whole gang could use a set of the same 1TB keys and you are trading off convenience versus chances of an informant/leaker, and if you're paranoid enough to be using 1TB OTP, why make that tradeoff?) And don't the counterparties need to communicate so they need their own web of keys?

3) There is the little problem of USB-PC security: wouldn't putting the USB key in a PC expose your whole OTP to the perhaps-infected PC? How does this actually work?

One can see that subversion-resistant secure random number generation, secure transport, and secure key usage, and secure key destruction are all required to make OTPs actually secure.

I predict someone will attempt to market USB one-time pads within 5 years as a sort of snake-oil bandaid, and I can see a distant future where they get used, but I don't see them becoming used widely/securely particularly soon. (Disclaimer: bank tokens that give you 5-digit codes for authenticating transactions do make a lot more sense to me however and might be one targetted use of this technology.)

    --LP

P.S. I have not read the security literature on one-time pads. Forgive me if I'm stating the obvious.
P.P.S. I was kind of stunned last week though when getting a mini-SD card for my phone that I can, for $50, get something that is literally the width/length/thickness of my pinkie fingernail that contains 8GB.

Re:One-time pads: the caveats

[StCredZero]

I have not read the security literature on one-time pads. Forgive me if I'm stating the obvious.

You should be asking for forgiveness for being totally clueless. You can't reuse a one-time pad. The whole point of a one-time pad is that the Unicity Distance is the same as the length of your whole freaking message. If your OTP is truly random, trying to decrypt a message n-characters long is basically the same as taking a wild guess at what n-character message got sent. How do we know that the OTP contained the random numbers to XOR the cyphertext back to "Hello" versus "LuvYu"? Unless we recover the OTP, there's no way to know!

But as soon as you reuse a OTP, you open it up to all sorts of analysis, which I'm not going to try to clue you in about. Look up Vigenère cipher and start reading there.

Re:One-time pads: the caveats

[LinuxParanoid]

Actually none of my comments were meant to discuss re-using a one-time pad. I'm not sure which of my comments you're referring to, but perhaps you are thinking of my comment about splitting a 1TB one-time pad into 10 components, each for use with one of 10 different parties. That's not re-use. Otherwise, I completely agree with your comments that using a one-time pad multiple times is, by definition, no longer a one-time pad and has much different security properties.

    --LP

Re:See, I made a new word

[MRe_nl]

LOL
All the results are in English as you might have noticed, the .nl is just me.
I'm actually interested in languages and new words...

What you really need

[morgauxo]

Is a really long RS232 cable. Stretch it between your home and work.

Re: your vs you're

[newdsfornerds]

You're comparing oranges and orangutans.

most of us carry RNGs

[Sloppy]

I'd like to know how you will surmount the problem of creating the pads in the first place.

When you talk about generating 2TB of pad, I gotta admit, that sounds formidable. But it's a question of quantity/time. Generating numbers is easy; I just don't know how long it would take to come up with 2TB.

Many of us walk around every day, carrying a device that contains a radio antenna and microphone. It probably has a SSD, and maybe has an accelerometer. It passes through yogsothoth-only-knows-what environment, constantly filled with each person's totally unique mundane minutia and perspective. Your best-funded worst enemy has no chance of recreating that. Gathering entropy is easy, it's just a questions of bits per day.

Re:Restarting makes traffic analysis a little easi

[marcosdumay]

Want a still better idea? Keep ssh open, but forbid passwords.

Voila! No Chinese computers accessing your network, and you still have a secure channel from the outside.

I don't understand why the BSD folks still think the default configuration of ssh is secure enough. Inertia, maybe, or backward compatibility?

Re:OK, I grant that you did say "theoretically", b

[borjonx]

these aren't home servers - these are production servers at work. they're in the data center, so i ssh to them, weather i'm at work or home.

always logout

Answer: Safer to logout and re-negotiate SSH when you return.

Reason: SSH authentication negotiation is secure.
Reality: Physical access to your desktop is the primary concern.

Also:
1) setup a personal security policy. Some examples are:
- never know the SSH passwords. Use long random passwords and secure these locally with a strong passphrase (memorized).
- setup a rotation schedule for your SSH keys passphrase
- set your screensaver to "lock desktop" when it starts
- always shut your PC off at end of day (flush raw keys from memory with no exceptions)
- always logout (not just lock screen) when you expect to be away from your PC longer then bathroom/coffee tasks.
- always lock the screen when you step away for those short period breaks (bathroom/coffee)
- setup more then one account for personal vs business. This way you can do less secure things on the personal account which has no access to your SSH keyring.
- determine and follow a new password minimum criteria (like: must be at least X chars, needs alpha & numeric, etc)
- keep backups of keys and passphrases in a very very secure place (consider a lock box)
- never attempt to access these machines via SSH from a Windows box (these are known to be insecure and new malware is known to go undetected for months). There is no guarantee of security no matter what steps you follow.

2) Depending on the physical security of your work environment:
- install Linux onto a fully encrypted Hard Drive (luks works well with Debian and can be setup on install with some distros by default)
- install user home directory encryption (ecryptfs works for me).
- use 'shred' instead of 'rm' when removing old keys/passphrase's etc.

* the reason to do these steps is to provide peace of mind in cases of physical theft.

Reasons to leave SSH connected:
1) it is faster to leave these SSH connections open when you later want to access them. But generally, if speed has higher priority then security for your clients... then why even worry about asking your post? I assume this is not true for you, so just don't do it. It IS worth a little extra time to do things securely.

Re:See, I made a new word

Parent isn't a troll, it's off-topic, like me.

Idiot mods. See, now I'm flamebait, somewhat informative and just a little redundant. If I were a little cleverer I even might have made troll rank. To summarize, you're really being too kind to the parent.

Re:xkcd, because he asked

[snowgirl]

http://xkcd.com/538/

Re:xkcd, because he asked

[JWSmythe]

    Most appreciated. Thank you. :)

MITM vs replay

[midom]

One needs to stage man-in-the-middle attack to hijack existing session, whereas broken handshake can be used to establish new connections. Not looking at crypto-analysis, keeping connections open is much more secure ;-)

Defeat via Email

[Roger+W+Moore]

I don't know about you, but I have a hard time glossing over a message like "KEY CHANGED--SOMEBODY COULD BE TRYING TO BREAK IN!"

Even if you received an email beforehand coming from your sysadmins indicating that they had installed a new version of SSH and because the key had changed so don't worry about any warnings. If they can manage a man-in-the-middle attack then faking an email will be trivial.

Wrong...

The answer to the question is simple. If you have a session established, it can be attacked. If you don't have a session established, it cannot be attacked.

If your clients use it when they need it and turn it off when they don't, they're minimizing the attack surface. If an attacker can detect an ongoing, always-on ssh session, then he can apply any potential techniques and resources that he or his backers have. If he has to wait for a session to appear and once a session starts, he has a limited amount of time to act, that limits what he can do.

References:
(basic security design, "minimize your footprint")
Tzu, Sun. "The Art of War"

You should reconnect.

[Medievalist]

In which case my original statements still hold.

If you maintain a connection when you are not physically present you have downgraded your security to nearly non-existent. Your unattended computer is not secure if it is powered on. It is vulnerable to physical attacks and to zero-day exploits that it would not encounter if it were turned off when not being used.

If you make a fresh connection to a host that you have already got the host keys for - that italicized clause there is what protects you from man-in-the-middle attacks - you are making a Diffie-Hellman key exchange which is not crackable by sniffing and cannot be brute-forced in real-time. A fresh connection is vastly, fundamentally safer than an unattended computer, even if your computer is locked in Superman's Fortress of Solitude.

If you aren't familiar with how DHE works, you should check it out. Very elegant and simple.