Lax SSH Key Management A "Big Problem"

cstacy writes "Tatu Yionen, inventor of SSH, says he feels 'a moral responsibility' to come out of retirement and warn that a 'little-noticed problem' could jeopardize the security of much of the world's confidential data. He is referring to the management (or lack thereof) of SSH keys (i.e. 'authorized_keys') files. He suggests that most organizations simply allow the SSH key files to be created, copied, accumulated, and abandoned, all over their network, making easy pickings for intruders to gain access. Do you think this is a widespread problem? How does your company manage SSH keys?" cstacy's summary here is accurate, but as charlesTheLurker notes, the article is a bit over the top: "The Washington Times claims that there's a huge vulnerability in ssh. It turns out that some reporter there has discovered that you can do passwordless login with the software, and has spun this into a story of a dangerous vulnerability. Sigh."

Passwordless login

[Smallpond]

I've just noticed a huge vulnerability in keyless entry on cars - you can open the door without a key!

** just so we don't have a story without a car analogy **

Re:Passwordless login

[paiute]

I just learned you can gain access to the Library of Congress without being a Congressman.

Re:Passwordless login

[NatasRevol]

Or a librarian.

Or even Nicholas Cage.

Re:Passwordless login

[Sulphur]

I've just noticed a huge vulnerability in keyless entry on cars - you can open the door without a key!

** just so we don't have a story without a car analogy **

You can get in some convertibles without opening the door even if the windows are up.

--

Re:Passwordless login

[davester666]

Yes, that huge gaping hole where the roof normally is...

By not using SSH

We manage this problem by having the office workplace be an offline, local office network. There isn't any connecting remotely through VPNs/SSH, if you're doing work, you come to work to do it.

Re:By not using SSH

[vlm]

What do you use to log in from one machine into another, telnet? Or instead of scp you ftp stuff?

Also I have several boxes where the only way I can run "X" GUI stuff (at home, my mythtv backends) is via SSH X11 forwarding.

Re:By not using SSH

[Smallpond]

What will you do after your office closes due to being less productive than other workplaces?

Re:By not using SSH

What do you use to log in from one machine into another, telnet? Or instead of scp you ftp stuff?

Also I have several boxes where the only way I can run "X" GUI stuff (at home, my mythtv backends) is via SSH X11 forwarding.

None of them are more than ten feet away from where anyone works, you walk over to it.

What will you do after your office closes due to being less productive than other workplaces?

I'm not sure, we only have two customers, both of whom have been with us for over thirty years, and they don't seem to be going anywhere. (it's kind of a niche business)

Re:By not using SSH

[obarel]

Your comments are very insightful to the problems that the article is talking about. Thank you for sharing your experience!

Re:By not using SSH

Your comments are very insightful to the problems that the article is talking about. Thank you for sharing your experience!

I know, I probably seem like a troll, but like I said, it's a niche business, and is security related.

Anything other than physical access, with no WAN capability is not secure enough for what our (admittedly very small list) of customers are looking for.

Re:By not using SSH

[sco08y]

What will you do after your office closes due to being less productive than other workplaces?

It's probably government. And, most likely, 90% of the users just use SSH and don't tell anyone.

Re:By not using SSH

[gmuslera]

If you have to do things between computers in your local network (transfer a file, or execute a process, or whatever), doing it using an unencrypted protocol means that any computer doing sniffing in that network could get both content and access. And a trojan in the desktop of the clueless/weakest link on your network could give from inside access to people from outside.

Don't feel safe because not explicit access from outside, whats inside matters too.

Re:By not using SSH

[profplump]

Either there's a way to get data in and out of these computers -- and therefore the potential for attack -- or the computers are just sitting their twiddling their thumbs. The idea that somehow disconnecting from the big scary Internet will keep you safe is ridiculous; there have been a number of high-profile attacks that did not require Internet access in recent years, and before Internet access was common most viruses spread via shared physical access, not network access.

Re:By not using SSH

Data goes out, on paper, in a box, in the mail. Algorithms go in, hand keyed, with two people watching what you type and signing off with a smart card.

Re:By not using SSH

[nabsltd]

If you have to do things between computers in your local network (transfer a file, or execute a process, or whatever), doing it using an unencrypted protocol means that any computer doing sniffing in that network could get both content and access.

With switches, you can't see any packets unless they are destined for the Ethernet card in the machine doing the sniffing. So, it means that one of computers involved in the transfer is compromised, in which case there isn't any need to sniff the traffic...you just read the file from the local disk. It could be that your switch is compromised, and has been instructed to copy packets from other ports. In that case, encryption over the network would help.

Re:By not using SSH

[sakshale]

And, of course, no one has developed any packet sniffing tools that work in a switched environment......

Re:By not using SSH

[TarpaKungs]

How quaint...

Re:By not using SSH

[arth1]

With switches, you can't see any packets unless they are destined for the Ethernet card in the machine doing the sniffing. So, it means that one of computers involved in the transfer is compromised, in which case there isn't any need to sniff the traffic...you just read the file from the local disk. It could be that your switch is compromised, and has been instructed to copy packets from other ports. In that case, encryption over the network would help.

You don't know how a switch works. It caches the mac address of the remote machines, and only sends out packets on the interface it received traffic from that mac on. The problem is that they trust any mac addresses they see. If I set my ethernet card's mac address to the same as another machine, I will get that machine's traffic until it sends something to make the mac caching switch back.

A typical impersonation attack on a machine on a switch includes a DoS attack to get it to stop sending packages (not really needed, it just makes the job much easier), and then impersonating its mac. It's not exactly rocket science.

Re:By not using SSH

[GNUALMAFUERTE]

ifconfig eth0 hw ether 00:50:56:c0:00:01

There, you just cloned one of my vmware instance's mac.

Trusting your switch is ridiculous. Routing provides true isolation, but still, any real security has to be implemented in several layers. Ignoring the application layer and trusting your network is a recipe for disaster.

Re:By not using SSH

Such a setup is all well and good for HSM/crypto stuff but for nearly every other scenario air gaps just aren't practical.

Re:By not using SSH

[andy.ruddock]

MAC flooding

Re:By not using SSH

[tqk]

... if you're doing work, you come to work to do it.

I have a better idea. I'll work from home (or wherever I may be at the moment) with the plethora of tools I have at my fingertips, not jeopardizing the security of your network. I can do development here with no distractions from you and your fellow lackeys. If I need anything from you, you can mail it to me. If I'm to support your servers instead, give me the email address of a lackey who knows how to cut+paste commands I send him/her into a terminal window. No, you may not have my phone no. I've no need to speak with you. All you need to do is keep the cheques coming. Deal? Take or leave it. Others are waiting ...

Re:By not using SSH

[tqk]

It's not exactly rocket science.

To the vast majority of human kind, the stuff that you and I and people like us consider boring, is rocket science. Which is why you find yourself explaining how switches work/don't work, to geeks.

I often wonder how "regular people" (like my Mom) get through the day having no inkling of how any of this stuff works. Newton and Einstein must have wondered about this often.

who is doing this?

[datapharmer]

Who exactly is it that isn't password protecting their ssh keys? I mean if you choose to press enter shame on you.

Re:who is doing this?

[Skinkie]

Most likely your offline backup script that rsyncs your changes over every night with you sleeping tight.

Re:who is doing this?

[sribe]

Who exactly is it that isn't password protecting their ssh keys?

Anyone who needs services to launch without manual intervention--which is a whole lot of services and a whole lot of people...

Re:who is doing this?

[kthreadd]

Then I would create a separate key for that service and restrict what it was allowed to do on remote end.

Re:who is doing this?

[h4rr4r]

That is what you should do.
I use rssh for something like this all the time and each process has it own user. That takes planning though and people are lazy.

Re:who is doing this?

Also scripts that rdist out updated config files from a central management server - you need the key from the management server on all your servers.

You can do it manually when you have a few servers but when you have a few hundred or thousand you can't. Of course the keys should only be readable by root but if the management server is compromised so is everything else.

Re:who is doing this?

[datapharmer]

Exactly! chroot it, limit ssh by IP and run a second script on the server to do any additional housekeeping (move files/change permissions as necessary and cleanup). You shouldn't allow an unprotected key for an account with access to anything of value on your server. Being lazy isn't an excuse. You can be lazy and maintain security, it just takes a few extra minutes to set it up correctly the first time.

Re:who is doing this?

[datapharmer]

yes, but there are other ways of securing these service accounts and the ssh keys have no business in any location that is network accessible and shouldn't be of danger even if they are (since their access should be very limited in scope).

Re:who is doing this?

[h4rr4r]

You could copy the files to some unprivileged user home dir and have the servers run a cronjob to mv and chown the files as needed. That way if they get the management server all they can do is bork the config files.

Re:who is doing this?

You're obviously doing it wrong. We just put the password in another file, and use a script to handle it.

Re:who is doing this?

[h4rr4r]

Which is why we have things like chroot and rssh. Limiting the scope of the damage is a vital practice with those kinds of accounts.

Re:who is doing this?

Who exactly is it that isn't password protecting their ssh keys?

Anyone who needs services to launch without manual intervention--which is a whole lot of services and a whole lot of people...

noob use an expect script to enter the passwd for you

Re:who is doing this?

[dw]

A nice solution I use for myself (home and work) is to use the ssh-agent distributed with GnuPG. I have an OpenPGP card (http://g10code.com/p-card.html) which holds my private key and cannot be retrieved. The card itself is PIN protected. I don't have to worry about my private key ever showing up in the filesystem or backups.

This works nicely with the -A option to ssh, which sets up a control channel back to the authentication agent on my desktop. I can ssh to server A, then ssh from A to B using my local smart card. If I'm ssh'd to server A and need to leave my desk, I can unplug the card and immediately break the authentication chain.

If I were setting up an SSH scheme in a large organization, this would be my first line of defense.

Re:who is doing this?

[vlm]

We just put the password in another file, and use a script to handle it.

Naah just put the password on the command line. What could possibly go wrong?

(Note, just kidding)

At one point I had at work an implementation looking a lot like the Debian development anon-ftp system... Sure, upload whatever you want, but if its more than 5 minutes old and has no valid GPG signature, then it gets wiped. On the other hand if its got a valid GPG sig, trust it and run it. If you're going to put an anon ftp server on the internet you need to partition upload and download so as not to become a warez site. I suppose if there was a buffer overflow in GPG (or the ftp server, or my lame little wrapper script) I would have been pretty well screwed. Also put some sensible limits on it for ddos reduction.

"Run any script you see, as long as its got a valid GPG sig..." is a pretty simple wrapper. Authenticate the code, not the transfer, more or less. Essentially, a crude DRM system... I wish this design/pattern were more "mainstream".

Re:who is doing this?

[betterunixthanunix]

1. If this is for desktop use, it asks ssh-agent. If it cannot do that, oh well, the backup did not happen and hopefully I see an error message in the morning.
2. If this is for something more general, it is a service that is confined in any number of ways (SELinux would be my preference).

...and on the remote end, whatever the backup script logs in as is confined -- no permissions to do anything other than write a backup.

Re:who is doing this?

[sribe]

Which is why we have things like chroot and rssh. Limiting the scope of the damage is a vital practice with those kinds of accounts.

Yep. And more directly related to the article--not being a dipshit idiot about the key files ;-)

Re:who is doing this?

for backup limting ssh can still help protect u from being rooted - won't help your data though.

Re:who is doing this?

I always run my backup scripts in chroot environments. I've also found that, as a bonus, they complete many orders of magnitude faster and use significantly less space. Huge wins all around.

Re:who is doing this?

[X.25]

Who exactly is it that isn't password protecting their ssh keys? I mean if you choose to press enter shame on you.

It appears that you haven't seen any workplace yet.

Re:who is doing this?

[gmack]

It is not a matter of password protecting ssh keys, it is a matter of deleting obsolete keys from ~/.ssh/authorized_keys when they aren't used anymore. When someone quits or gets fired someone should be going through everything they have access to and removing the keys. They are remarkably easy to forget where they were put as well.

After running my head into this problem one too many times I ended up creating a management system that rebuilds every copy of authorized_keys on each server.

Re:who is doing this?

I hope you're not being serious. In case you are, that is even worse than not using a password on your key because you get a false sense of security from it; if you have you password in a expect script, then it is stored in plain text and anyone who can read your ssh key can likely also read the expect script.

Re:who is doing this?

Woosh....

Re:who is doing this?

[Khopesh]

Who exactly is it that isn't password protecting their ssh keys? I mean if you choose to press enter shame on you.

From the IT policy standpoint, there's no way of requiring that a key has a password. There are lots of people who don't understand (or otherwise care to use) ssh-agent and similar mechanisms, and there are lots of people who assUme that their own systems' security is sufficient and don't realize that it jeopardizes the security of the IT department's systems.

For this reason, there are lots of security-conscious departments that ban SSH key access on any external-facing system.

Re:who is doing this?

I have some things I want done around the house. I have at my disposal:

  1) A powerful and very intelligent robot who will do whatever I want at the press of a button.
  2) An untrusted helper, who I pay $2/day

The solution is simple: I gave my untrusted helper access to program the robot, and now all I need to do is press the button.

Re:who is doing this?

Posting anonymously because this is just too horiffic to get traced back to the company in question...

Here is my tale of the use and abuse of ssh at a major financial institution: We have a bunch of Unix servers that perform various functions, i.e., database servers, application servers, web servers, etc. My job, amongst other things is to do application deployments, troubleshooting, and file managment on the app and web servers as required.

Let's say that I get an alert that appserver1 has a disk space issue. (most likely becuse some developer has decided it's a good idea to be running in debug mode). I can't ssh directly to appserver1, because they don't allow it (my userid is not on the box). However, they do allow me to ssh from 'jumpbox1'. So, I ssh to jumpbox one. I still can't login directly to appserver1 as myself, but I can as our 'admin' user. I also can't login directly to jumpbox1 as 'admin', but I can SSH to admin@localhost once I'm on the box.

Once I'm admin on jumpserver1, I can ssh to the remote box as admin (in some cases, in others I have to know what service accounts exist on the box for the applications that run on it). Now, I'm on appserver1, and I look at /logs and do a 'du | sort -nr | head -20' to show me the biggest hitters on the box. I discover that the application that runs as appuser2 is consuming way more space than it should and so is the application for appuser3. So, I logout of appserver1, which puts me back as admin@jumpserver1. Now I ssh to appuseruser2@appserver1 because I didn't have the ability to 'su' to that user from the admin account on appserver1, nor could I use 'sudo' to do so.

Now, I'm on appserver1 as appuser2, and I go clean up the logs. Once done, I logout and ssh again as appuser3@appserver1 and clean up the files there.

The only time I was prompted for a password during the entire process is when I logged into jumpserver1 with my userid before I ssh'd to admin@localhost.

In what way could the above ever pass an audit? The only time I am identified is when I initially login to jumpserver1. There is no way to tell which individual admins are logged into any given box at any given time.

Also note that at each point, I have write access to the .ssh directory for each user, so I could give myself direct access any time I wanted.

Overall, I'd have to say that I am thoroughly appalled at what passes for 'security' at this financial institution.

Re:who is doing this?

[nabsltd]

I think you are trying to be funny and failed (also I think you are mixing up chroot and /dev/null)

If you chroot, you can't see any files if the aren't in the chroot directory or below. So, if you want to back up /etc, your chroot better include /etc (either as the root or as a subdirectory).

This is why the OP said the backup finished faster...because after the chroot, none of the files that needed to be backed up were visible.

Re:who is doing this?

Then I would create a separate key for that service and restrict what it was allowed to do on remote end.

The problem is how do you manage that policy across dozens of servers or more?

Sudoers is a disaster area, it has has had more than a few parser related vulnerabilities which is scary for a SUID binary. There is no real way to validate a sudo config, so when said vulnerabilities were announced you'd have to write complicated perl scripts with lots of localized assumptions to check for vulnerability. Sudoers cannot be instrumented by Puppet nor Chef AFAIK. No... "cat policy1 policy2 policy3 > sudoers is not instrumentation.

User account management tools for Linux blow chunks, every generic LDAP interface is horrible, there is no standard way of interfacing with user accounting layers past the unusable putpwent so Puppet and Chef have to speak your flavor of LDAP, which they do about as well as generic LDAP tools.

OpenSSH completely misses the boat in terms of key management, no X509 certificate encapsulation and none of the most basic certificate management features such as signing, key expiration, or revocation (think host keys for decommissioned servers that should not be trusted if they are later turned on and forgotten), and not even minimum key size - something it ought to be able to do RIGHT NOW.

If someone comes back with "but but but some other OS does this and that worse" I will personally beat you with an uncooked fish and fart on your pillow. I do not give a rats ass what another OS does, these are basic things an "enterprise" OS should do, and I highly recommend using (thus not paying for) CentOS in the enterprise unless you REALLY need support agreements from your OS vendor. For "private cloud" application server pools, fsck commercial Linux vendors. Nobody is getting a DIME from me for a GNU/Linux OS until they pull their shit together and modernize that decrepit system software.

Re:who is doing this?

if you have you password in a expect script, then it is stored in plain text and anyone who can read your ssh key can likely also read the expect script.

Well, obviously, you encrypt the expect script and put a passphrase on the decryption key. Do I have to explain everything around here?

Re:who is doing this?

Most likely your offline backup script that rsyncs your changes over every night with you sleeping tight.

Then I would create a separate key for that service and restrict what it was allowed to do on remote end.

Did you read the parent's post? How exactly do you restrict an account used for backups on a Linux system? I'm not saying yours is a bad idea, but this was a poor context to use it in.

Backups are a perfectly valid reason for password-less logins, and a really embarrassingly bad case to use for privilege separation in UNIX.

Re:who is doing this?

[kthreadd]

Did you read the parent's post? How exactly do you restrict an account used for backups on a Linux system? I'm not saying yours is a bad idea, but this was a poor context to use it in.

Backups are a perfectly valid reason for password-less logins, and a really embarrassingly bad case to use for privilege separation in UNIX.

If you have to use SSH for this kind of job you can create a separate key especially for this job so that it's only valid in the context of making backups. You can also restrict what you can do on the remote endpoint (OpenSSH has support for that) so that it can only be used for the purpose of creating backups. That means that you can have your main ssh keys encrypted, and still use SSH for automatic backups without having to decrypt the key file.

Re:who is doing this?

[viperidaenz]

... unless you mount the files/directories you want to backup.

Isn't that what mount --bind/rbind is for?

Re:who is doing this?

[tchuladdiass]

You have the client you are backing up push the backups to the backup server via SSH, instead of the backup server remoting into you client to pull the files. This way you can deposit the files into a restricted account on the backup server.

Re:who is doing this?

chroot has a history of being able to be escaped from. Haven't messed with rssh, but I'm sure it suffers the same issue.

The real question is where are these keys being stored that's so at risk? If someone's in a position to snag your key, you're pretty much fucked anyway - because your server has been owned, or your desktop has a keylogger running in the background by now.

Re:who is doing this?

[DarwinSurvivor]

One common senerio is a laptop with a private key being stolen from a car, lost at a mall, snagged at the bus stop, etc. You then need to go to every machine with that laptop's public key(s) (laptops can have LOTS of public keys depending on how it's set up) and remove it/them.

Re:who is doing this?

[DarwinSurvivor]

That's why you mount the target directories into the chroot as READ ONLY.

Re:who is doing this?

you mean like the rsync/rdiff-backup howtos say to? nahhh

captcha: reasoned

Re:who is doing this?

[DarwinSurvivor]

For this reason, there are lots of security-conscious departments that ban SSH key access on any external-facing system.

So what your telling me is that they decided that a password that said user probably wrote on a sticky-note attached to their laptop or saved in a plaintext password is more secure than a ssh private key that MIGHT not be password protected?

If a user isn't going to properly secure an ssh private key, there is no way in hell they are going to properly protect a password!

Re:who is doing this?

[bill_mcgonigle]

That's a good idea. In that case your trust is in the keysigning. I think this is what some folks are missing - a passwordless ssh-key based automatic system is relying on other means of trust. Whether or not that trust is well placed or constructed is a separate matter. An encrypted key-based connection is still a great improvement over older systems.

Re:who is doing this?

[petermgreen]

Be aware that there is a reason that ssh asks for a "passphrase". Encyrption passwords must have much more entropy than login passwords because the only thing restricting the number of attempts the attacker may make is the amount of computing power the attacker has at their disposal.

I bet there are a lot of ssh keys out there with passwords that ammount to nothing more than a false sense of security.

Re:who is doing this?

[Khopesh]

For this reason, there are lots of security-conscious departments that ban SSH key access on any external-facing system.

So what your telling me is that they decided that a password that said user probably wrote on a sticky-note attached to their laptop or saved in a plaintext password is more secure than a ssh private key that MIGHT not be password protected?

If a user isn't going to properly secure an ssh private key, there is no way in hell they are going to properly protect a password!

I've been in IT. I've seen it first hand. These people do understand and have decently secured systems, but trade off security for convenience rather than learning ssh-agent, missing the point that their perceived "minor" security issue isn't as personal as they think and risks exposing things like code trees and proxies to would-be attackers.

My "solution" was to serve on an alternate SSH port, since they also didn't use ~/.ssh/config, so anybody stealing their keys would also have to troll their ~/.bash_history to figure out what the keys opened. I also walked around the office and emailed people with walkthrough instructions for using ~/.ssh/config and ssh-agent/Pageant (PuTTY's agent) on Linux, OS X, and Windows.

Re:who is doing this?

It is not a matter of password protecting ssh keys, it is a matter of deleting obsolete keys from ~/.ssh/authorized_keys when they aren't used anymore. When someone quits or gets fired someone should be going through everything they have access to and removing the keys. They are remarkably easy to forget where they were put as well.

After running my head into this problem one too many times I ended up creating a management system that rebuilds every copy of authorized_keys on each server.

Or, you know, actually simply remove them from the group that has ssh access at all. sshd_config has a remarkable number of options for managing access, and since you can centralize this if you wish (and you should wish if you're large enough to have this problem), removing an account from "sshallowedusers" or whatever group will probably solve this, then it's simply a matter of killing an existing sessions at the firewall, you're done. You have plenty of time to trawl through your systems and remove dead, public keys.

As for losing your private key, we'll assume you just want to be safe but actually are smart enough to have encrypted it properly, you know about key revocation right? I'm not strictly certain you can ask sshd to check a list of revoked keys but I'd frankly be shocked if you couldn't. Again, one step process, done.

Yes, yes, it's all more set up, a penny of prevention vs. a pound of cure and all that: just do it right the first time.

Re:who is doing this?

The problem is how do you manage that policy across dozens of servers or more?

The backup server pulls the data, preferably from a private address over an isolated administrative network. The passwordless private key is only on this server. The user it logs in as on the other servers for ssh/rsync has sudo access for one specific rsync command (optionally make a specially crafted binary to replace the shell) and can only ssh in from the backup server IP. If you're extra paranoid, make a special sshd instance on each machine and firewall its port so only the backup server can connect.

Sudoers is a disaster area

I'm sorry you feel that way. It's better than nothing.

Sudoers cannot be instrumented by Puppet

Say Whaaat? Isn't the whole point of puppet to administer conf file changes?

User account management tools for Linux blow chunks

The one thing I hate about linux is the group management. Nested groups has been a desired feature for more than a decade, but kernel devs seem to think it's superfluous "Just make a flat file and repeat the names, or write a script to generate the flat file"

Re:who is doing this?

[tqk]

Then I would create a separate key for that service and restrict what it was allowed to do on remote end.

"Math is hard." -- Barbie.

Re:who is doing this?

[tqk]

Nobody is getting a DIME from me for a GNU/Linux OS until they pull their shit together and modernize that decrepit system software.

Wow. The dumth! I wouldn't work for you even if you tossed your sister into the deal. Wow. "User Error"^^999999999999999 ...

Re:who is doing this?

[DarwinSurvivor]

You sent out walkthrough instructions? As IT you should know who has access to which servers, just have a script write and install the damn config automatically and call it a day. If an employee shows interest in it, sure, show them how it works. But to send out instructions to dozens (hundreds?) of people explaining how to do what a shell script could do in seconds is just a waste of time.

For that matter, if they can't figure out ssh-agent and .ssh/config, chances are if you just generated their public/private keys with passwords, they'd never bother removing the password anyways.

Re:who is doing this?

[tqk]

You could copy the files to some unprivileged user home dir and have the servers run a cronjob to mv and chown the files as needed.

Yeah ... Where I come from, that's called "a hack." It shouldn't be necessary, it's kind of ugly, and it can be done better/more securely/more robustly the right way.

Alternatively (shocker, I know), they could just learn how to harden their box. Every box I've heard of that was broken into was either misconfigured or running a crap OS, or wizards were intent on getting in. I think the latter very seldom happens. Basic "best practices" security should be all anyone really needs (if they're not running a crap OS).

Re:who is doing this?

So you have your passwordless SSH private key on multiple less-secured clients? When one of them is compromised, your future backups can be overwritten. Or read if you don't restrict the commands the client can run on the backup server.
If you have a secured centralized backup machine, then you can pull from the clients and your SSH private keys will be secure. Still, make sure that the only command that the backup user can use on the client is a very specific read command. It will be far less likely for your private backup server to be attacked than a public-facing client.

Re:who is doing this?

[nabsltd]

Isn't that what mount --bind/rbind is for?

Um, the point is that you can't both make the files available to the backup job while making them not available to anyone who has the SSH key that the backup job uses.

Using chroot and mounting stuff can limit your exposure, but if you want to back up anything sensitive, it has to be visible to the login that the SSH key uses.

Not sure where you work..

[xtal]

Unmanaged keys are most certainly a pretty serious security vulnerability, and I agree - in my experience it is endemic.

Key management - signing, validation, revocation - doesn't happen for free. Everything worthwhile requires effort.

Re:Not sure where you work..

SSH key management is non-existent. Unlike client certificates used in PKI/SSL/TLS, there is no identifying information contained in an SSH key about its owner or creator, only the optional comment that someone may have deleted or edited when adding it to an authorized_keys file. There are also no lifetime constraints on them, so old keys will never expire... they'll just lurk until an admin physically removes them from the authorized_keys files or the owner's private key gets compromised.

Your keys, my keys

[kthreadd]

I've worked at a place where someone thought it was a great idea to mass-add a specific entry everyones authorized_keys, "because then $x would just work". No need to tell everyone of course.

It's not enoguh that you know how to manage your keys. The rest of the organization has to know what's OK and not.

Re:Your keys, my keys

[vlm]

Would have been a lot funnier if they did

cat somekey > ~/.ssh/authorized_keys

rather than

cat somekey >> ~/.ssh/authorized_keys

I suppose that is one way to "solve" the problem.

Re:Your keys, my keys

[kthreadd]

Turned out someone had a cron job that checked certain files for modifications, including authorized_keys. So it was detected fairly quickly.

With great power comes great responsibility, or whatever it is that sudo sais the first time you run it.

Re:Your keys, my keys

[richlv]

just fyi, i found your comment somewhat confusing - probably because of a word you left out :)

i'd guess "entry everyones authorized_keys" should have been something like "entry into everyone's authorized_keys", which then starts to make some sense

Re:Your keys, my keys

[kthreadd]

Correct. The absence of edit functionality is sometimes a bit irritating. Thanks for pointing it out. :-)

Re:Your keys, my keys

Back in around '05 or so, I was a system administrator for a company that is now very large in its industry - possibly the largest. Then it was growing exponentially and was adding servers by the dozen every week. I designed and implemented the process by which a set of virgin servers, when unpacked, rack-mounted and powered on with a network cable connected, would PXE-boot and install our highly customized Linux (RHEL) via kickstart mode. One of the extra RPM packages I slipstreamed into the process contained my SSH public key, which would be installed into /root/.ssh. That is, I automatically had password-less SSH access to every single server installed in any of our DCs. For all I know, that process is still live in the company though I quit that job more than 6 years ago. And I probably still have the corresponding private key with me.

His name is

[LucidBeast]

Tatu Ylönen

Re:His name is

[Nimey]

Bloody sans-serif fonts.

Re:His name is

No need to be so dramatic...

authorizedkeyscommand

In my opinion, this is the interest of the new authorizedkeyscommand. A sample usage is available at http://www.sysadmin.org.au/index.php/2012/12/authorizedkeyscommand/

Inability of server to enforce policy

[linuxtelephony]

The biggest issue with SSH is the inability of the server to enforce policy on the client keys. If I'm wrong, I'd love to be corrected and learn what I've been overlooking.

As it stands, there's no way for the server to reject a key that has no pass phrase, a poor passphrase, or an old pass phrase. Short of over-the-shoulder random audits of users using their keys, there's no way to enforce a policy that sets minimum standards for pass phrases on SSH keys.

To my way of thinking that is one of the bigger areas of risk with and drawbacks of the use of SSH.

Re:Inability of server to enforce policy

[h4rr4r]

If you are that worried about it you could disable the use of ssh keys. No one is going to be guessing the keys anyway, but it is a concern if someone copied one.

Re:Inability of server to enforce policy

[vlm]

Its a mess. In more detail.

The pass phrase never leaves the client, right, so you'd have to magically protect against trojaned client that lies and pinky swears that it really did check.

Or send the passphrase cleartext to the server for the server to test it. That would be bad. Of course if you had a trustable connection between, then you could safely transfer the passphrase to the server for testing, but then you'd already trust the link so it would be pointless.

The solution is after you set up the trusted link you send the passphrase over the link and have the server verify the phrase and dump the connection if it fails.

There's probably some horrible failure mode where if a server is owned then you're really screwed because now it has your passphrase which is probably your gmail password and xbox password and who knows what else.

Kerberos does it (somewhat) better.

Re:Inability of server to enforce policy

[icebraining]

That's because the server has no way of knowing anything about the passphrase unless the client tells it, and no way of knowing if the client is telling the truth, so it would be foolish to include such verification.

Re:Inability of server to enforce policy

[betterunixthanunix]

As it stands, there's no way for the server to reject a key that has no pass phrase, a poor passphrase, or an old pass phrase

There is, however, a way for the server to accept only particular client keys -- say, keys that are known to have been generated on a smart card. SSH can be configured to look for authorized keys somewhere that users cannot write to (a basic centralized keystore), and there is some amount of support for a PKI. You cannot force users to have good passphrases, but you can force them to use smartcards (which is probably better than a passphrase anyway).

Re:Inability of server to enforce policy

[tburke261]

If I'm wrong, I'd love to be corrected and learn what I've been overlooking.

One of the best things I've heard in a while on /. If only every commenter had this attitude!

Re:Inability of server to enforce policy

[DamnStupidElf]

This is basically the heart of the issue. Allowing users to add whatever keys they want (their uncle? Their best "friend" in Russia?) to their own user accounts circumvents the traditional authentication/authorization methods. When employees leave, occasionally their accounts stick around while things get cleaned up (or if they were especially bad and running production jobs out of their home account, they just stick around forever) their /etc/secrets entry gets a * for a password hash immediately but it's not obvious to check their personal .ssh directory and clean up authorized_keys. Especially if that annoying production job happens to use ssh in a non-trivial way. Single sign-on systems are a possible solution. OpenSSH supports Kerberos integration and that may be the way to go for big *nix enterprises.

Re:Inability of server to enforce policy

[shaiay]

The server not being able to force policy on the clients is inherent to the client-server system: If you client is un-trusted, you cannot enforce anything on it.

Unfortunately, while current OpenSSH supports multiple authentication options, they cannot be "stacked" - if you manage to authenticate in one way, you are in.

In my blog I suggest a solution: I show a way to force OpenSSH to ask for a (server based) password after key based login,. This way you can enforce password policy on the server (strong passwords, etc...) with the standard tools, and also require a key. The key can now be password-less.

Shai

Re:Inability of server to enforce policy

[icebraining]

How does the server know the key came from a smartcard?

Re:Inability of server to enforce policy

[nedlohs]

Of course there isn't. The server doesn't see the passphrase and there'd be no point in trusting the client to tell you "oh yeah, there was a huge passphrase, I promise".

Re:Inability of server to enforce policy

The trick is to manage the keys. Issue smart cards where the keys can not be extracted and that require a PIN. Then use only those public keys on the server in a centrally managed key store (like a root owned directory, LDAP, etc).

Re:Inability of server to enforce policy

[GreyWolf3000]

When the smartcard is given a public/private key pair, it registers the public key with a basic centralized keystore. Then the ssh server starts refusing key authentication with any client not trying to authenticate against one of the public keys generated by the smartcard setup process.

Re:Inability of server to enforce policy

What does "rejecting a key that has no passphrase" mean?

A key is a pair of very large numbers. There's a public key and a private key. The public key is what goes in authorized_keys. It's not supposed to be secret - that's it's purpose. The public key doesn't usually have (or need) a passphrase.

The separate private key file doesn't go in authorized_keys. It goes on the client machine. The private key really ought to be stored encrypted and protected with a passphrase. When the passphrase is used, the client uses the passphrase to decrypt the private key and use it.

You're right that the server has no idea if the private key is protected or not, because at runtime all it cares about is does the client know the right really long number.

However, this isn't completely unmanagable. The first step is DON'T LET USERS CREATE AND UPLOAD THEIR OWN KEYS. Make authorized_keys root only. If a new user needs a key, you generate it for them. You encrypt the private key with a passphrase (of your chosing, so you control passphrase stength), put it on a USB key, and hand it to the user. Yes, with the encrypted private key file and the passphrase, the user could in theory decrypt the key and put it somewhere. Make it clear that's against the rules, And, by the way, it would require effort to do this. If you want to get really paranoid, every 6 months generate a new key for everyone (with a new password), distribute on physical media, and then remove the old keys from authorized keys.

Re:Inability of server to enforce policy

[betterunixthanunix]

You are the one issuing the smartcards. When someone needs access to the server, you either give them a smartcard and add the card's public key to the authorized_keys file. In theory, the smartcard cannot export its secret keys, so you know that only a person who possesses the card and correctly entered the pin could be using that key to log in (in practice, smartcards can sometimes back up keys; I would assume that if you need to control client keys, you would not be issuing such cards).

Re:Inability of server to enforce policy

[Khopesh]

There are two (very ugly) "secure" solutions to this.

1. Draconian: The IT department requests the private key, tries to brute force access, then deletes it after a certain degree of failure. IIRC, pubkeys can be generated from private keys without passwords, so it's verifiable. Big snag: the user could remove the password later. As long as the private key is safely and securely submitted (say via an SSL form) and safely/securely stored during the brute forcing, this is as secure as your trust in the sysadmins (and/or your password strength).

2. Policy: enforce via required educational video or similar nonsense plus a legal contract. Best done in physical form since nobody actually pays attention to EULAs and whatnot. Can be combined with Draconian #1 above.

Re:Inability of server to enforce policy

Of course there isn't. The server doesn't see the passphrase and there'd be no point in trusting the client to tell you "oh yeah, there was a huge passphrase, I promise".

You're getting a technical problem confused with a meatspace one.

You're not trying to prevent hackers from attacking you with unsecured keys, you're trying to prevent already trusted users from doing the wrong thing. All you need to do is encourage them.

Same procedure used to prevent sticky notes with passwords written on them. Set policy, train, audit, scold. There's no reason SSH client configuration can't include policies that require pass phrases, which could be managed on trusted equipment. It doesn't have to be iron clad, as long as people can do their work and don't actively defeat measures meant to protect them, it will work.

Re:Inability of server to enforce policy

Its a mess. In more detail.

The pass phrase never leaves the client, right, so you'd have to magically protect against trojaned client that lies and pinky swears that it really did check.

Or send the passphrase cleartext to the server for the server to test it. That would be bad. Of course if you had a trustable connection between, then you could safely transfer the passphrase to the server for testing, but then you'd already trust the link so it would be pointless.

The solution is after you set up the trusted link you send the passphrase over the link and have the server verify the phrase and dump the connection if it fails.

There's probably some horrible failure mode where if a server is owned then you're really screwed because now it has your passphrase which is probably your gmail password and xbox password and who knows what else.

Kerberos does it (somewhat) better.

You are making this way too hard, it's a simple meatspace problem.

Tell people not to do it. Scan for unsecured keys on approved equipment, do not allow unapproved equipment. Take away network access from violators. These are people you already trust to be on your systems, anything that helps them follow policy is fine, it doesn't have to be rock solid.

If you're not managing the remote systems, why aren't you issuing proper, trusted, secured keys to clients, with expiration dates and the ability to revoke them, centrally? The possibility that they can go out of their way to store the keys unsecured is why you expire them... This is SSH key management fail, it's a child's toy compared to a centrally managed X509 based system. I get it, no key management is easy, but that should be a choice like self signed X509 certs, not a "feature" like with SSH.

Re:Inability of server to enforce policy

[nedlohs]

That's the client enforcing policy, which is not the server enforcing policy and hence completely irrelevant.

Re:Inability of server to enforce policy

[dkf]

Kerberos does it (somewhat) better.

But Kerberos management is itself a PITA. I suppose it's not too bad within the context of a single organization, but it can't scale larger than that because of cross-domain trust problems. (Large organizations often internally organize themselves into multiple smaller organizations that are usually at loggerheads with each other over something stupid. Or the budget allocation.)

It's important to remember that the main problem with SSH is that it allows authentication via password by default. That's by far the most vulnerable way of doing it, as that login method is subject to frequent attacks in the wild, and it isn't actually significantly easier for users in the first place (local key management software is really rather easy these days). Getting authorized key management across all your servers absolutely right is a much lesser concern in practice.

Re:Inability of server to enforce policy

[DarwinSurvivor]

.ssh/authorized_keys is only writable by the user if you decide it should be. "chown root:root /home//.ssh/authorized_keys; chmod 755 /home//.ssh/authorized_keys" and voila, only root can update your authorized_keys file. Another solution is to change the location of the authorized_keys files in /etc/ssh/sshd_config (or wherever your distro stores the settings) to something outside their home folder.

Re:Inability of server to enforce policy

[DarwinSurvivor]

Gah, stupid slashot formatting. Replace /home// with /home/_user_/

Re:Inability of server to enforce policy

[petermgreen]

Really having a ssh key with no passphrase is much the same as having a copy of your password sitting in a file on your computer. The only way to try and prevent it is invasive scans of all data stored on the client computer and even then you may well miss it if the user obfuscates it slightly.

Re:Inability of server to enforce policy

[petermgreen]

.ssh/authorized_keys is only writable by the user if you decide it should be. "chown root:root /home//.ssh/authorized_keys; chmod 755 /home//.ssh/authorized_keys" and voila, only root can update your authorized_keys file.

Unfortunately it's not that simple. If you do that then the user can't edit the file in place but they can still remove and recreate it. To stop a user changing stuff in their home directory you would have to take away their ownership of it which is likely to break a lot of stuff.

Another solution is to change the location of the authorized_keys files in /etc/ssh/sshd_config (or wherever your distro stores the settings) to something outside their home folder.

This would be the way to go if you want to stop users adding keys themselves.

Re:Inability of server to enforce policy

[turbidostato]

And then the IT team can impersonate the user. Well done, sir.

The IT team should handle authorization, but managing authentication handles must be done by the user himself.

Passwords are a worse vulnerability

[betterunixthanunix]

I see brute force attacks on passwords all the time; you do not see that with keys. Yes, if you are dealing with an adversary who is organized, well-funded, and specifically attacking you, you should be taking extra precautions with keys (and with many other things), but for most SSH use-cases the adversary is just trying to find the least secure system anywhere on the net, and does not care who owns it.

So rather than scare people about poor key management, let's scare people about bad passwords -- which is nearly all passwords.

Re:Passwords are a worse vulnerability

[vlm]

So rather than scare people about poor key management, let's scare people about bad passwords -- which is nearly all passwords.

Hey slashdot does anyone have an implementation where the sshd config would look something like:

PubkeyAuthentication yes
PasswordAuthentication no any/any
PasswordAuthentication yes 10.0.0.0/8

And no, last time I checked openssh could not do that. Either yes or no, no src address filtering.

The closest I could come up with is running two SSH servers on different port numbers and filter at the network level which src addrs can talk to which port.

Re:Passwords are a worse vulnerability

The problem is the public as a whole is already well aware of piss poor passwords and just doesn't care. Key files however can be protected with rudimentary security built into just about every OS out there or with a myriad of more paranoid alternate solutions.

Would you leave your car keys on the hood of your car if you were in an area where you felt it essential to lock your car?

Re:Passwords are a worse vulnerability

you could probably write your own PAM module to let you do this

Re:Passwords are a worse vulnerability

[allo]

why would you want passwords in your lan?
when you need passwords sometimes, when you are on the road with your laptop or at some pc, which is not yours, okay there its useful. But in you own lan, you always can access some ssh-key. So your policy isn't very useful that way.

Re:Passwords are a worse vulnerability

[Qzukk]

And no, last time I checked openssh could not do that

Last I checked, PasswordAuthentication is allowed inside a Match block, so

PubkeyAuthentication yes
PasswordAuthentication no
Match Address 10.0.0.0/8
        PasswordAuthentication yes

Re:Passwords are a worse vulnerability

[__aaltlg1547]

I find it a useful thought exercise to presume that my computers are under specific, directed attack even though they probably aren't.

Re:Passwords are a worse vulnerability

[Sancho]

You should be able to approximate that using Match keywords in sshd_config.

Re:Passwords are a worse vulnerability

[ArsonSmith]

xinetd can. we launch a separate sshd with separate config file from xinetd with response from only certain ip addresses.

Re:Passwords are a worse vulnerability

[shaiay]

use the Match config file directive:

PubkeyAuthentication yes
PasswordAuthentication no
Match Address 10.0.0.0/8
PasswordAuthentication yes

Re:Passwords are a worse vulnerability

[vlm]

(years ago) I used to get blasted at home from China IP addrs trying various root passwords. Flooding my logs with failures. Since then I only allow key auth from the untrustable internet. I'd never allow password auth over the internet. Copying a key is not a big deal. Or logging into another machine that I know has a key, etc.

On the LAN, if some clown gets infected and port scanning / password scanning, I can literally walk over and physically take care of it.

Re:Passwords are a worse vulnerability

[Maow]

(years ago) I used to get blasted at home from China IP addrs trying various root passwords. Flooding my logs with failures. Since then I only allow key auth from the untrustable internet. I'd never allow password auth over the internet. Copying a key is not a big deal. Or logging into another machine that I know has a key, etc.

On the LAN, if some clown gets infected and port scanning / password scanning, I can literally walk over and physically take care of it.

This may not be of use to you anymore, but I'll toss it out there: fail2ban.

I use it to ban IPs attempting ssh-as-root on first attempt, ssh login password failures on 3rd attempt. Uses iptables to block the malicious addresses. Works like a charm.

Also has "jails" for Apache-based log failures, such as attempts to access PHPMyAdmin (what ever it's called), which is worthwhile to run just for that, and a host of others.

Re:Passwords are a worse vulnerability

[nedlohs]

If copying a key is not a big deal why do you want password authentication enabled for lan?

Re:Passwords are a worse vulnerability

[TemporalBeing]

why would you want passwords in your lan? when you need passwords sometimes, when you are on the road with your laptop or at some pc, which is not yours, okay there its useful. But in you own lan, you always can access some ssh-key. So your policy isn't very useful that way.

When I first started my current job, we could only login to one server by using an SSH Key. However, you were expected to generate your own key and put in on the server. The only method was to use the insecure FTP (where passwords were allowed) to upload a new authorized_keys file.

A couple years later, the hard disk failed and we had to rebuild the server. Needless to say, the SSH Key requirement did not get transferred. (And no, I'm not the admin; if I were It might get reinstated for logins from the outside our LAN.)

Yes, the SSH Keys provide a useful minimum security check from outside; but there also needs to be a little more flexibility on the inside of the network too. Then users that need the outside access will setup the more secure option, and user's that don't will get locked out (and rightfully so). SSH Keys don't provide much enhancement of security inside the network any way - since the tools could just brute force the password on the key before trying to use it to access other resources (and no security tools will be any the wiser to such an attack).

Re:Passwords are a worse vulnerability

[dopamine5ht]

PasswordAuthentication no Match Address 10.11.3.0/24, PasswordAuthentication yes

Re:Passwords are a worse vulnerability

[detain]

You can add AllowUsers *@10.0.* root@1.2.3.4 in your sshd_config

Re:Passwords are a worse vulnerability

[CRC'99]

And no, last time I checked openssh could not do that

Last I checked, PasswordAuthentication is allowed inside a Match block, so

PubkeyAuthentication yes
PasswordAuthentication no
Match Address 10.0.0.0/8

        PasswordAuthentication yes

With a note that it doesn't always work:
https://bugzilla.redhat.com/show_bug.cgi?id=869903

Re:Passwords are a worse vulnerability

[allo]

i think (good) password vs. ssh-keys is both okay from the security point of view. But ssh-keys have much more convenience, where you have them (with ssh-agent you type your password only once, agent forwarding, etc.), and passwords are a sane fallback for when you just somewhere and downloaded putty to access your server. another good option for not so trustworthy environments are one-time-passwords. There is a pam module for this, and you just carry a list of 100 OTPs.

Re:Passwords are a worse vulnerability

[TemporalBeing]

i think (good) password vs. ssh-keys is both okay from the security point of view. But ssh-keys have much more convenience, where you have them (with ssh-agent you type your password only once, agent forwarding, etc.), and passwords are a sane fallback for when you just somewhere and downloaded putty to access your server. another good option for not so trustworthy environments are one-time-passwords. There is a pam module for this, and you just carry a list of 100 OTPs.

Any links for that PAM module? Or how the 100 OTP list would work?

Re:Passwords are a worse vulnerability

This may not be of use to you anymore, but I'll toss it out there: fail2ban.

I use it to ban IPs attempting ssh-as-root on first attempt, ssh login password failures on 3rd attempt. Uses iptables to block the malicious addresses. Works like a charm.

I used it but stopped doing so some years back, when botnets had become so huge that every attempt in an attack came from a different IP address. Fail2ban wasn't capable of handling that. What makes it work like a charm now?

Re:Passwords are a worse vulnerability

Actually I disable password authentication completely.
If you can use public key authentication remotely, then you definitely can do it locally.

Re:Passwords are a worse vulnerability

[postbigbang]

I wish more people thought like you do. I protect all hosts like they were real assets or potential vectors for local 10./ infection.

Because they are. Pubic facing? Secure perimeters? False security.

Re:Passwords are a worse vulnerability

[heypete]

I'm not sure about that specific module, but I've found using the Google Authenticator pam module to be really useful. It ties in easily with SSH and allows users to use time-varying OTPs generated using the TOTP standard to authenticate to the system.

It's worth pointing out that although the module is developed by Google, it does not rely on nor communicate with their servers in any way: it's just an implementation of the TOTP standard. One can use their Google Authenticator client for iOS/Android or any other compatible client (I have a J2ME client on my non-smartphone, for example) to generate the relevant codes.

Re:Passwords are a worse vulnerability

I see brute force attacks on passwords all the time; you do not see that with keys. Yes, if you are dealing with an adversary who is organized, well-funded, and specifically attacking you, you should be taking extra precautions with keys (and with many other things), but for most SSH use-cases the adversary is just trying to find the least secure system anywhere on the net, and does not care who owns it.

So rather than scare people about poor key management, let's scare people about bad passwords -- which is nearly all passwords.

WOW. Key management does not protect against brute force attacks, it's to prevent mishandling of keys. You expire them for the same reason you expire passwords, you store them encrypted on permanent storage again for the same reason, you revoke them when they are no longer needed, such as when they are reissued before expiration, the same way you remove the old password hash when setting the new one.

You shouldn't let keys be unmanaged any more than you would let passwords be. SSH keys are like letting users keep their account's shadow entries in their HOME DIRECTORY. It's a boneheaded, lazy, un-unixy design.

Want to set new passwords and keep your old ones, SURE! Don't like the system's local or centralized password lifetime policy, OK!

Re:Passwords are a worse vulnerability

And you can generate certificate ssh keys with buildin restrictions, so you can define a user, host or even how long the key is valid.
So you can validate a ssh key for 4 days or so...

Re:Passwords are a worse vulnerability

[allo]

its called libpam-opie. There are debian packages, and googling finds some howtos. I'm not sure which to link, because some apply on freebsd, others are written in german ... so search for yourself which one works for you.
In the end you get prompted with a seed ((almost) constant per account) and a serial number, and can generate the corrsponding OTP (a sequence of some english words) or use a list of precomputed OTPs.

Re:Passwords are a worse vulnerability

[DarwinSurvivor]

I believe fail2ban can now ban entire subnets, so if you're being attacked from China, just block China's subnet (they of course have many, but you get the idea). I think you can set it up so the first ban is for an IP, if it bans more than X from a given subnet, the whole subnet gets banned (or if you're really evil/smart, redirects to a black-hole machine with no valid logins).

One thing to remember is that for non-scripted attacks (where someone is specifically going after YOU), the instant you ban them, they realize it and work around it by either changing to a new IP or trying a different attack. If you can instead add them to a deny list or redirect them to a black hole, they will continue getting "Access Denied" and not realize their attack has already been detected and dealt with. The more information an attacker has (including "you have been banned"), the easier it is for them to get into your system.

One BIG reason not to tell them they've been banned, is if they reliably get a "banned" notice after X amount of tries/time and then suddenly they DON'T get one (because you forgot a specific attack vector), they suddenly know about know which attack to continue. It's like if midevil armor was invisible but you heard a "tink" every time you hit it. Just keep hitting it in different places until you don't hear a "tink". Now you know where to focus your attack!

Re:Passwords are a worse vulnerability

[DarwinSurvivor]

Wait, so new admins were required to use FTP to add their public key instead of just getting an exist admin to add it for them?

Re:Passwords are a worse vulnerability

[TemporalBeing]

Well, no new admin. New users. The only admin setup the FTP account; I don't know why they just didn't generate a publickey pair at the same time to hand out.

Re:Passwords are a worse vulnerability

[bill_mcgonigle]

https://bugzilla.redhat.com/show_bug.cgi?id=869903 [redhat.com]

Weird, missing comments on that thread.

Re:Passwords are a worse vulnerability

[petermgreen]

ssh can enable/disable passwords depending on the source address put something like

Match Address 192.168.0.0/16
        PasswordAuthentication yes

At the end of your config file (unfortunately match blocks have to go at the end of the config file because there is no way to end a match block other than starting a new one).

Re:Passwords are a worse vulnerability

[Maow]

This may not be of use to you anymore, but I'll toss it out there: fail2ban.

I use it to ban IPs attempting ssh-as-root on first attempt, ssh login password failures on 3rd attempt. Uses iptables to block the malicious addresses. Works like a charm.

I used it but stopped doing so some years back, when botnets had become so huge that every attempt in an attack came from a different IP address. Fail2ban wasn't capable of handling that. What makes it work like a charm now?

If you set it up properly it will stop a lot of attempts on the first try: PHPMyAdmin attempts, if you're not running it / exposing it to exernal IP addrs; ssh-as-root, and more. Ban those addresses for a week or a month. Scan logs for the past month (or year) if unforgiving.

I haven't done an analysis on the failed login attempts by IP to see how distributed they are, but I get a large number of banned IPs at any one time. That means it works.

If you wanted a perfect solution, just do ifconfig eth0 down and you're golden.

Re:Passwords are a worse vulnerability

[TemporalBeing]

This Gentoo one looks like a good one - a forum post, but a good one nonetheless.

Re:Passwords are a worse vulnerability

Bugzilla can hide individual comments (say, if they have private login info in them). It is also possible to mark whole bugs as private.

Re:Passwords are a worse vulnerability

[WuphonsReach]

If you're tired of your log files filling up with errors from dictionary attacks, do the smart thing - get off of the default port. That alone will reduce the number of attacks against your SSH service by 2-3 orders of magnitude.

(Banning by IP address doesn't work. Most attackers now use botnets where each individual bot in the network only attacks your system a handful of times.)

Combine non-standard port with key-only authentication and you're mostly worry free. Unless someone can steal your SSH private keys, at least.

Re:Passwords are a worse vulnerability

[WuphonsReach]

The usual answer is "run 2 copies of SSHD". One that listens on the public address and only allows key-based authentication (and runs on a non-standard port) with a 2nd copy that runs on the internal network and allows password based authentication.

Re:Passwords are a worse vulnerability

Given that the problem addressed by RequiredAuthentications2 is still being worked on by the Portable OpenSSH team (using a completely different configuration directive), it appears that RequiredAuthentications2 probably shouldn't have shown up in RedHat at all. A lesser version of how Debian managed to bork OpenSSL by touching things they didn't understand.

Is your setup secure?

[joelwhitehouse]

Post your 'authorized_keys' file and fqdn here to find out.

Re:Is your setup secure?

[ArsonSmith]

Public keys are just that. What good would that really do for you?

Re:Is your setup secure?

He owns a quantum computer, so he can generate the matching private keys. Duh!

Re:Is your setup secure?

Given that authorized_keys contains public keys, I'd take you up on that offer.

Unfortunately for all parties involved, Slashdot's filter won't let me. Filter error: That's an awful long string of letters there.

I could probably give you the private key as well and still be safe, given it has a pretty strong passphrase, but we'll never know, now, will we?

Re:Is your setup secure?

[godrik]

remember the debian ssh key fiasco. How many people still use some of these not-so-random keys? I agree that posting your authorized_keys should not be a problem. But the least information on your setup out there is the better.

Re:Is your setup secure?

[tqk]

remember the debian ssh key fiasco. How many people still use some of these not-so-random keys?

I boubt very many, if any. As soon as it was discovered, the next thing we saw was an update that forcibly disabled them. I suppose there may be Debian installs out there where apt-get update's never been configured or run, but I don't have much sympathy for them. They may as well be botnet fodder by now.

I remember is as a humbling experience, but educational and nobody died. Trust, but verify.

Welcome to the past!

You, sir, are living in the 20th century.

Re:Welcome to the past!

[tqk]

You, sir, are living in the 20th century.

Possibly, but what if he's supporting PLCs controlling critical infrastructure, which as everyone here screams shouldn't be accessible from outside? Iran's well aware of the damage an insider can do with just a USB key.

ssh is great, but it's not magical and can't solve every problem. xkcd comes to mind ...

Commercial SSH with key management

[blacksuit_uk]

Quite dismayed that the orginal article doesn't start to go down a bit further looking at the commercial SSH solutions with various levels of key management; SSH inc, Dell(Quest/Vintella), Venafi, CA, FoxT and others. They've been doing business for decades, using "improved SSH key management" as one of their key messages, and their target markets are corporates with strong brands, energy companies, financial services organisations and goverments. Would like to see a new survey slicing up the Open SSH and Commercial SSH footprints.

The name is not Tatu Yionen

[TheTruthIs]

It's Tatu Ylonen.

Re:The name is not Tatu Yionen

[TeknoHog]

It's Ylönen with an o-umlaut.

openssh restrictions

[quags]

Sure lax anything is a problem. If you are placing authorized_keys files that are wide open, to a wide open SSH that just sits around for years, ya I see a problem. If done right there are restrictions that can be added in an authorized_keys file

from="IP.address" - set a key to only be able to be accessed by a certain ip
command="some command" - only allow a certain command to be run.

I also feel that ssh should not be wide open if possible. IP restricted by either a firewall, tcp wrappers or AllowUsers in sshd_config.

/. Summary Over the Top RE: Washington Times

So I read the TFA. And while the Times article is a bit on the sensational side, so is Slashdot's characterization. I saw nothing to indicate that "some reporter there has discovered that you can do passwordless login with the software, and has spun this into a story of a dangerous vulnerability"... I did see the reporter speaking to an expert about an obscure, but real, problem and reporting on it. I suspect because that expert raised the issue himself.

All news organizations tend to sensationalize, not just those with which the majority of Slashdot editors and readers have editorial disagreements with, because it sells papers (or airtime or page views). If the Times is to be faulted, it's for characterizing this problem as a 'glitch' rather than a management practices problem in the headline.

Re:be honest fuckers...

[nosubmit]

-1? wtf

Some solutions to key management

#1 "Good Enough" Is "Good Enough":
'AuthorizedKeysFile /etc/ssh/keys/%u'

#2 "Best Practice":
Compile openssh with LPK patch (LDAP Public Key) and use 'AuthorizedKeysFile /dev/null'

Second way is centralized and much more secure.

Our policy

SSH keys for the root account are managed by cfengine/chef/puppet/etc and those are held only by users. Someone quits, all servers have updated authorized_keys in a few minutes. If someone with non-root permission quits then it's just one server that needs to have a user account locked out appropriately.

Servers can ssh into each other for special purposes (eg: remote backups), but not as root. They have to go into an account created just for them where the user's "shell" will do the work on its behalf using sudo where necessary. Sure it's a bit more annoying but it's the Right Way.

And don't forget about a possible authorized_keys2 file! If you're doing custom automation of SSH key management, treat authorized_keys2 the same way you do authorized_keys.

TODO: Key rotation policy for users :-(

Guilty

This article is pretty much about me.

Re:Guilty

[tqk]

This article is pretty much about me.

The first step on the road to redemption is recognizing you have a problem. Welcome into the light.

It's not hard

[geekboybt]

Managing SSH keys for known service accounts is easy with configuration management tools like Puppet, Chef, or Salt.

I'd be glad if they just used some keys at my corp

instead of using easily-guessable passwords :-(

We've used it for backups

[93+Escort+Wagon]

It's not perfect, but - if you restrict where it (ostensibly) can connect from, and you restrict it to a specific command, I wouldn't exactly consider it low-hanging fruit.

Glad I read entire summary

[g0bshiTe]

I got to the end and was thinking all my SSH keys require a password as well. Then I saw the tidbit of some dumbass had one that was passwordless, read epic fail.

Robert Paulson

[TeknoHog]

His name is Tatu Ylönen.
His name is Tatu Ylönen.
His name is Tatu Ylönen...

Use Monkeysphere

Monkeysphere

Forget SSH

[Dareth]

Is he going to run around yelling, "The plane, boss the plane!"

That would be a good reason to come out of retirement.

AuthorizedKeysCommand can police this easily

[Khopesh]

In my opinion, this is the interest of the new authorizedkeyscommand. A sample usage is available at http://www.sysadmin.org.au/index.php/2012/12/authorizedkeyscommand/

Nice! AuthorizedKeysCommand (introduced 2012/10/31) can do exactly what we need: Set up a script that (securely) logs key usage and e.g. deny any key that is older than 366 days (by first use or else filesystem timestamp) and hasn't been used in 90 days or for any user whose last login (regardless of which key) was over 60 days ago, with a list of exceptions (by key, not user).

That's still messier than something that can go right into the authorized_keys file as a parameter, but it would do the trick handily.

It would be nice if OpenSSH could query LDAP

[mridley]

It would be nice if OpenSSH could query an LDAP server for the sshPublicKey field directly. There's a patch that does it, but as far as I know it's not integrated into the main ssh code base that ships with general Linux distributions. Supporting that and then having people use the SSHFP record with secure DNS would be nice additions to SSH best practices.

Re:It would be nice if OpenSSH could query LDAP

[Zeromous]

Maybe i have too much christmas cheer in me still but how on earth would this solve the problem (and not make it actually worse)?

The SSH design is part of the problem

[Skapare]

The SSH design of how keys are actually handled is part of the problem. This design makes things harder for key management. The first is that the ssh daemon wants to only look at one file. It should provide for a way to keep the files separate so it is not necessary to rebuild the authorized_keys file. Have a directory where keys can be stored with multiple keys per file. Provide an option to allow the user to configure which key files are active (choose whether not executable or not world readable is the flag).

Re:The SSH design is part of the problem

hello puppet

Re:The SSH design is part of the problem

[Skapare]

How would that be any better? It doesn't know how to figure out which keys to get. And it still has to rewrite the whole file.

Re:The SSH design is part of the problem

I'd imagine that if a key is unreadable it can't be active (since it can't be used), so... the readable flag? I don't think I'd want to use the executable flag on files that aren't executables.

C'mon you gaybos

Set up a one time password server require otp authentication over PAM so that even if the key is set up without a password you still need to enter the OTP. Added bonus of not having to worry about somebody sniffing your passphrase when you log in from that shady internet cafe while in thailand trying to pick up ladyboys.

I mean seriously, you guys are all a bunch of fucking amateurs!

Mahalo gaybos

what we do

my company deletes them every 30 days

One problem...

I really wish SSH could be made to have some set of CAs (*not* 'the' list of CAs) and do x509 based PKI. Even though the common use (browser curated set of global CAs all with equal power) has serious issues, x509 is a decent strategy for PKI.

For host keys, DNSSEC SSHFP records being more common could help.

In terms of loosely maintained/abandoned user keys, people should probably advocate stronger for things like key agents and agent forwarding. Nearly all the convenience of passwordless usage with significantly reduced risk.

Kerberos 5 is the solution

[utkonos]

Stop authenticating users via keys directly to a server. Use Kerberos v5. This centralizes the authentication to one or a set of servers. You then don't need to clean up key mess everywhere. Once you're running Kerberos you can choose the method of authentication to the central server. You can use password, public key (but only one in this case), OPIE (One-time Passwords In Everything), Google authenticator, RSA securid, biometrics, SRP (Secure Remote Password), or any combination of these to make things 2, 3, 4 or X factor authentication. The sky is the limit, and there's no crazy mess to have to follow up with.

When you need to have things automated, and you must use key authentication, then make sure that the area the key authenticates to is well sandboxed with something like a FreeBSD jail with access to nothing but the resources needed for the remote function to be performed.

This is all using standard practices that are over a decade old (and clearly spelled out in the FreeBSD Handbook among many other places).

Re:Kerberos 5 is the solution

[gwinckler]

I think Kerberos is the right solution for most, but for completeness sake, you can also use SSH with X.509 certs with gsissh (http://grid.ncsa.illinois.edu/ssh/).

X.509 certs are hell harder to manage, but they are safer (compared with ssh private keys), including a mandatory expiration date in each cert. In the end of the day, each user or service has to regenerate it's private key once per year. It's decouple the authentication/authorization problem. But you get some new issues as well...

How we do it

Posting anon since maybe this is confidential but well

OP suggests that "most organizations simply allow the SSH key files to be created, copied, accumulated, and abandoned"

At $WORK, every server has a client cert (http kind) and regularly runs a script that connects to a central server (auth with http client and server cert) to download list of authorized UNIX user/ssh key combos (by user, by department). If download is OK, it overwrites $USER/.ssh/authorized_keys. Central server is tied in to corporate directory so that if somebody gets fired (or gets moved to a department without access to that server) their key disappears from the server(s) automatically. Of course, there is a safeguard so that we can still log in if HR malfunctions and fires everybody :)

We could probably set up some central auth server to be consulted in real-time, but we were scared that that server might be off-line.

The problem is that access to one gives access to

[raymorris]

The prpblem mentioned in the article is that often, a compromised desktop has root access to a server, which has access to another server, and so on. With proper key management, access to (a former employee's?) desktop shouldn't grant access throughout the network. Too often, keys aren't properly managed, so an intruder can go from one machine to another, all over the network.

Tool to sync a bunch of webhosts

[dozer]

I use a tiny script: https://github.com/bronson/sshkeys

Makes the easy even easier.

Ylönen

[Bismillah]

Was wondering who "Tatu Yionen" was...