ssh-decrypt

Pawel Krupinski pak76_ml at yahoo.co.uk
Fri Nov 17 19:55:56 EST 2006


> Don't forget that the agent functionality is
> available on any host that 
> you have logged onto with agent forwarding enabled,
> so anyone 
> controlling any one of those hosts can use your
> agent to decrypt your stuff.

Thanks for pointing it out. There are several things
that mitigate (to certain extent) this risk:
1. One of the important features of the password safe
(as I call it) I have in mind will be accountability,
so I can say who, when and which secret was accessed.
2. In the enterprise envrionment, we have control over
each and every box where ssh agent will run on (we
don't allow out-going ssh connections).
3. Most of the root operations are done via sudo. In
cases where someone requires root logon, we are
logging all his operations.
4. All above will generate logs. We want to have log
correlation tuned up to pick up activities where an
administrator abused his rights. 

It is not 100% secure, but still better then scrambled
passwords.

Cheers,
- pak76
--- Darren Tucker <dtucker at zip.com.au> wrote:

> Pawel Krupinski wrote:
> > One of the problems we are facing is secure
> storage of
> > passwords (database, bestcrypt, other
> > applications/systems, 
) and availability within
> [...]
> > I'm using ssh agent currently just to manage my
> keys
> > and practically they are used only to provide me
> with
> > SSO to other ssh based systems. Why not use these
> keys
> > (or a separate ssh key pair) to protect passwords
> to
> > things such as database? 
> 
> Don't forget that the agent functionality is
> available on any host that 
> you have logged onto with agent forwarding enabled,
> so anyone 
> controlling any one of those hosts can use your
> agent to decrypt your stuff.
> 
> -- 
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9
> C982 80C7 8FF4 FA69
>      Good judgement comes with experience.
> Unfortunately, the experience
> usually comes from bad judgement.
> 



		
___________________________________________________________ 
Try the all-new Yahoo! Mail. "The New Version is radically easier to use" – The Wall Street Journal 
http://uk.docs.yahoo.com/nowyoucan.html


More information about the openssh-unix-dev mailing list