Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Dec 2015 20:55:52 +0100
From:      Terje Elde <terje@elde.net>
To:        Matthew Seaman <matthew@FreeBSD.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: best practice for locking down private jail?
Message-ID:  <B47F1A5D-AD1D-4A4C-AF63-5CF1C896E0A7@elde.net>
In-Reply-To: <565FFBDF.40907@FreeBSD.org>
References:  <CACcSE1yQO8AjW9rpY+d2p1-ArPbO4qKV0zcaCMyRhYEWLOpQGA@mail.gmail.com> <CACcSE1yqeXqd=mLJ-=aJGr0hXcUEE0v3MeiAty6e4cgpWF7D8g@mail.gmail.com> <20151203083926.72ad74db.freebsd@edvax.de> <565FFBDF.40907@FreeBSD.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

> On 03 Dec 2015, at 09:22, Matthew Seaman <matthew@FreeBSD.org> wrote:
>=20
> Keys *and* a password doesn't offer any additional security over just
> keys alone.

Actually, that's not true.=20

It's a fairly common thought, since both are key+password, but there's a ver=
y real difference; online vs. offline.=20

If you have an encrypted ssh private key, you can try to brute-force the pas=
sword as much as you'd like, in the comfort of your own home.=20

The password on the server though, would have to be tried against the server=
, leaving logs, possibly getting your IP firewalled, and alerting admin.=20

This is also where it gets interesting; if you check key before password, so=
meone uses the key but fails at the password a mere 3 times, you could revok=
e the key, and lock up the user.=20

That's what I'd call a pretty significant boost in security.=20

(Granted, the last part of that would perhaps require some scripting)

And your point isn't completely without merit. For a lot of cases it doesn't=
 matter; if the key is compromised because someone got access to the system w=
hile in use (as opposed to say, theft, DHS etc), there's a good chance the a=
ttacker could keylog the passphrase, at which point most of this would be mo=
ot.=20

To sum up; for some attackers/scenarios, it can boost security significantly=
, for others it hardly matters. For most, it's probably better to just go wi=
th keys, or take another step up and look at 2FA, or moving SSH keys to hard=
ware (smartcard, yubikey...)

I'm not suggesting everyone run out and set passwords, not adopt anything I m=
ention here, my point is just that there's a difference between encrypted ke=
y and key+password, and the difference can be leveraged for gain where appro=
priate.=20


Oh, and final note; there's some possible fun to be had here if anyone is in=
 a scripting mood, such as setting up a system to revoke SSH-keys to ALL mac=
hines, if key works but password fails on ANY, if key is successfully used f=
rom a non-whitelisted IP, and so on. Later SSHs have some CA-infrastructure,=
 ink. ability to distribute revocation-lists. That opens up to being able to=
 keep revocation ready at hand, and distributing only after its needed.=20

Terje




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?B47F1A5D-AD1D-4A4C-AF63-5CF1C896E0A7>