On 8/24/06, kevin lyda <kevin at ie.suberic.net> wrote:
> On Wed, Aug 23, 2006 at 03:59:56PM +0100, paul at clubi.ie wrote:
> > However the ssh server has:
> > - no control over whether the remote user does or does not protect
> > their key with a pass phrase
>> ok, yes, but there's a major difference: in general the user's ssh key
> is not accessible directly via the net; the ssh login password is.
>> if i want to use paul's key to break into server target.com.ie i have to
> go find paul's key. where is that? and once i figure out that it's on
> laptop x that is usually behind a firewall, how do i get to it?
>> in my mind that's a big win.
Does anyone else remember a story from around 1998 where some guys
setup a linux server exposing only two services, ssh on port 22 and
apache on port 80, and then proceeded with a project to portscan the
If I remember rightly, they pi$$3d off a lot of admins and then
eventually the webserver got hacked.
Upon analysis, it was discovered that someone had traced the client
machine that they connected from, and hacked it, and retrieved the SSH
key file to access the server. I don't recall if the client was
windows / linux.
The moral of the story is, if your going to use certificate access,
you better be sure that it is protected by means other than the
filesystem. And yes, if they do retrieve it, its possibly only a
matter of time before they crack the password on it unless you have an
enforced password policy, as Paul has pointed out, but clearly there
are extra layers of complexity involved in the attack making it less
and less feasable through enchanced security.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!