Slashdot Mirror
Keep SSH Sessions Active, Or Reconnect?
borjonx writes "Is it safer to log out of an SSH session, and re-establish it later, or just keep the connection open? Like many of you, I use OpenSSH to connect to my Slackware Linux boxes remotely from Linux and WinXP (putty.exe) clients. At home and at work, I wonder if it would be safer to just leave the connection open (my clients are physically secured, the servers limit connections with hosts.allow). Is it more secure to re-establish the connection over an insecure link (big bad internet) where people can sniff that handshaking, or is it more secure to just remain connected? I connect 1 to 4 times per day, most days."
Is it safer to log out of an SSH session, and re-establish it later, or just keep the connection open?
Breaking the crypto is almost assuredly not the weakest point in your connection. I'd stay connected, since by far the biggest danger is user errors: you accidentally connecting to the wrong serves, ignoring a cert change alert or something else boneheaded.
Assuming you're not using SSH1, the client and server should periodically regenerate session keys, so it's not like you'll be encrypting vast sessions with just one key (not that this is likely to be the biggest point of failure in your system even without re-keying).
rage, rage against the dying of the light
Just drive a blue car if you want it to catch on fire, you mean. The ONLY time I have ever had a car catch on fire it was blue.
This is the wrong place to ask. I doubt we'll get a single response from a person on the cutting edge of cryptanalysis who can give you a meaningful answer on the relative strength of Diffe-Hellman vs AES, which is what your question comes down to.
Realistically, it makes no difference. Both mechanisms are highly secure, cutting edge cryptographic systems. I doubt that either have been broken by anyone. If there is someone powerful enough to break those systems *and* keep the discovery secret, they're waaay above the league where they'd be interested in your SSH connections. That is, unless you work for the military of a major world power and are known to be transmitting valuable intel.
The ability to secretly break DH or AES would be such a huge weapon that they wouldn't use it unless the stakes were high enough to risk losing the advantage if their capability were detected. Somehow, I think your connections to your servers aren't that important.
I hate printers.
What gives you the impression that the key-exchange in SSH is vulnerable?
Answer: The key-exchange is not vulnerable. However, there is an issue the first time you connect to one host from the other. That initial message that most people ignore is a possible MITM (Man in the Middle) avenue a cracker could harness.
Example message:
While giving the password to the remote server for authentication may be secure, unless you've verified that fingerprint, you don't know to whom you're talking. That is, when you connect the first time, and you blindly accept that fingerprint, if it's a cracker, you are literally typing your password to the rogue machine (that would then turn around and log in "as you" to the real machine).
Ideally, you would to verify that fingerprint with a version you get through alternate, presumably secure, means. E.g. an over-the-phone conversation with an administrator, or physically accessing the work system and writing it down, or (temporarily) connecting directly to the server with a cross-over cable.
This is the wrong place to ask. I doubt we'll get a single response from a person on the cutting edge of cryptanalysis who can give you a meaningful answer on the relative strength of Diffe-Hellman vs AES, which is what your question comes down to.
No, it doesn't.
Currently, the relative strength of both of those is "much stronger than the chance of some kind of user screwup". Something like typing a password and "enter" into the wrong window, connecting to the wrong server, being tired and cranky about having to get work done and so ignoring a KEY CHANGE warning, etc is far more likely than an attacker breaking AES or Diffie-Hellman to get to your data.
So, do what you can to minimize the chance of user error. To me, that probably means stay connected (I'm willing to be persuaded otherwise, though, whether in general or for particular work patterns).
rage, rage against the dying of the light
Like many of you, I use OpenSSH to connect to my Slackware Linux boxes remotely
If many of us are connecting to your Slackware boxes, reconnecting is not your largest vulnerability!
(sorry, couldn't resist)
Cutting edge cryptanalyst here (PhD in IBE, works for major global security company)
A disclaimer: Conventional crypto is not my game anymore (post-quantum crypto is the way of the future). As any expert will tell you, I am not an expert, but I'll try to shed some light on some aspects of the discussion here.
To begin, we first have to make some reasonable assumptions about the choice of keys in SSH2. There exist known weak primes and weak generators in the DH (Diffie-Hellman) protocol that can be exploited. Assuming the SSH key generator algorithm is smart enough not to choose any known weak primes or generators, we can say the following.
The default OpenSSH implementation uses a 2048-bit prime order field. The security of the DH key exchange protocol is based on the discrete logarithm problem, of which the best known conventional attacks are generally O(sqrt(n)). ie. in laymans terms, roughly equivalent to a keysearch of 2^1024. Quantum computers are another story, but unless you're transferring data that will need to be secure in the order of decades (like you're that important), I doubt you have much to worry about in that regard for a while to come.
AES (the symmetric cipher used in SSH) uses by default 128 bit keys. There are no known attacks on AES better than brute force (ie. on average a keysearch of 2^127, since on average only half the keys will need to be checked before finding your session key). I would say however that there is a far greater chance of someone in the future strongly breaking AES than someone strongly breaking DH. New techniques for attacking symmetric cryptosystems appear all the time (see: Linear cryptanalysis, Differential Cryptanalysis, Impossible Differential Cryptanalysis, Integral Cryptanalysis, Boomerang attacks etc.) whereas DH is based on a very well known and studied number theory problem. Crypto-God Bruce Schneier seems to think AES will be broken in the future, but not enough to allow practical cryptanalysis of traffic.
It's hard to make any definite statements about a comparative analysis of the two schemes, due to the constants (or indeed polynomial terms) of the above complexity statements being unknown. From a purely theoretical standpoint, DH is the weakest link due to it having a better attack than brute force. However, when given this specific set of values to be used, the real-world security comparison is generally seen to be in the favour of DH with 2048 bit prime rather than AES-128. One author suggests Regardless, cycling the session key seems to be free (I can't find any known attacks that use past key exchanges). The SecSH RFC suggests session key cycling after a gigabyte of data, however more often can't hurt.
In short, you don't need to be worried about either DH or AES for a long time to come, but in terms of security, cycling the session key more often than necessary (ie. logging out and back in again) is probably technically more secure. As others have said in this thread however, crypto is very very rarely the weakest link. I'd be looking far more closely at the security of the computers involved than worrying about the crypto being broken.