On Thu, 24 Aug 2006, kevin lyda wrote:
> ok, yes, but there's a major difference: in general the user's ssh
> key is not accessible directly via the net;
Hmm, that's a sweeping generalisation. What makes you say that?
I'd actually say that the presence of ssh secret keys on a computer
means the computer *will* be connected to the internet (regularly or
permanently).
> if i want to use paul's key to break into server target.com.ie i
> have to go find paul's key. where is that? and once i figure out
> that it's on laptop x that is usually behind a firewall, how do i
> get to it?
Simple: You steal the laptop.
But most 'breaks' are not targetted but opportunistic. Worms and
crackers target insecure hosts, not specific domains. If that then
offers up pass-phraseless keys to more secure hosts..
> in my mind that's a big win.
You realise that the reason they had to change the known_hosts file
to store hashes of hosts (rather than hostnames/IPs directly) was
because of SSH 'worms' exploiting pass-phraseless secret keys and
using known_hosts to find which remote host they "opened the door"
to?
I bet though most long-time users still have lots of 'plain'
hostnames and IPs in their known_hosts files.
regards,
--
Paul Jakma paul at clubi.iepaul at jakma.org Key ID: 64A2FF6A
Fortune:
You are not my son!
-- Homer Simpson
Boy-Scoutz n the Hood
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
