Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lax SSH Key Management A "Big Problem"

Posted by Unknown on from the we're-all-doomed dept.

cstacy writes "Tatu Yionen, inventor of SSH, says he feels 'a moral responsibility' to come out of retirement and warn that a 'little-noticed problem' could jeopardize the security of much of the world's confidential data. He is referring to the management (or lack thereof) of SSH keys (i.e. 'authorized_keys') files. He suggests that most organizations simply allow the SSH key files to be created, copied, accumulated, and abandoned, all over their network, making easy pickings for intruders to gain access. Do you think this is a widespread problem? How does your company manage SSH keys?" cstacy's summary here is accurate, but as charlesTheLurker notes, the article is a bit over the top: "The Washington Times claims that there's a huge vulnerability in ssh. It turns out that some reporter there has discovered that you can do passwordless login with the software, and has spun this into a story of a dangerous vulnerability. Sigh."

5 of 212 comments (clear)

  1. Passwordless login by Smallpond · · Score: 5, Funny

    I've just noticed a huge vulnerability in keyless entry on cars - you can open the door without a key!

    ** just so we don't have a story without a car analogy **

  2. Re:who is doing this? by sribe · · Score: 5, Insightful

    Who exactly is it that isn't password protecting their ssh keys?

    Anyone who needs services to launch without manual intervention--which is a whole lot of services and a whole lot of people...

  3. Passwords are a worse vulnerability by betterunixthanunix · · Score: 5, Insightful

    I see brute force attacks on passwords all the time; you do not see that with keys. Yes, if you are dealing with an adversary who is organized, well-funded, and specifically attacking you, you should be taking extra precautions with keys (and with many other things), but for most SSH use-cases the adversary is just trying to find the least secure system anywhere on the net, and does not care who owns it.

    So rather than scare people about poor key management, let's scare people about bad passwords -- which is nearly all passwords.

    --
    Palm trees and 8
  4. Re:who is doing this? by kthreadd · · Score: 5, Insightful

    Then I would create a separate key for that service and restrict what it was allowed to do on remote end.

  5. Re:who is doing this? by Anonymous Coward · · Score: 5, Funny

    I always run my backup scripts in chroot environments. I've also found that, as a bonus, they complete many orders of magnitude faster and use significantly less space. Huge wins all around.