Do you have a question? Post it now! No Registration Necessary. Now with pictures!
January 8, 2004, 11:50 pm
rate this thread
attempting to "buck the system." There is an auditing tool being
rolled-out that logs into every *nix/linux box (tens of thousands of them)
using a particular user name and authenticating with a passwordless
(nothing in /etc/shadow or /etc/master.passwd, etc.) ssh connection -- the
public ssh key for the username being put in /home/username/.ssh on every
"client." The account is non-priveledged, ie., no root access -- just a
We are attempting to explain that putting the same user account (with a
publicly known user name) on tens of thousands of computers using only one
openssh key as the authentication mechanism while a handful of servers
have the private key for the account -- is a bad idea.
However, while cognizant that the encryption schemes, blowfish, rsa, dsa,
etc. make some difference between one another and are used at different
stages in the handshake and tunnel creation, it would be helpful to be
able to provide some "realistic" numbers on what it would take to crack
just one openssh private key. A range, for example. If there is someone
here who knows the math, about how many permutations would it take? If
it's possible, an example on the order of: it would take 100 2.0-Gigahertz
machines, between X and Y seconds/minutes/days (I really have no clue as
to the complexity involved, so perhaps years would be more appropriate
than seconds) to crack the private key, by brute force -- something a
manager can understand :-).
The idea being, if someone did ever crack that one openssh 3.7x private
key, that someone would now have a login account on tens of thousands of
computers, an enormous flaw, IMHO.
/"\ ASCII Ribbon Campaign
\ / Against HTML
X in e-mail & news
/ \ jim %$# bottino ELIPSIS com
Re: How secure is ssh?
Does the auditing tool need full shell access, or can you restrict the
activities that the key is authorized to perform?
Does it need constant access, or can you monitor the clients for
abnormal use of the key?
Personally, 'cracking' a private key sounds like the work of someone
determined to get in. I would be *much* more concerned about the true
security of the private key rather than the ability to crack it from
What sort of machines have it?
Is the key at least passphrased on them?
If not, does anyone have access to the backup tapes?
How many people have access to the physical machine?
Yup. Don't forget that you can design a system whereby the keys are
changed every so often. Such a system would almost make it impossible
to 'crack' the private key in a useful way. It does nothing about
finding ways of stealing or otherwise obtaining the existing key though.
Darren Dunham firstname.lastname@example.org
Unix System Administrator Taos - The SysAdmin Company
Got some Dr Pepper? San Francisco, CA bay area
< This line left intentionally blank to confuse you. >
- » Putty 0.53b -doesn't save sessions because is beta?
- — Next thread in » Secure Shell Forum
- » Every ssh login gives authentication failure log though connection work
- — Previous thread in » Secure Shell Forum
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum