Question on SSH_ASKPASS
Carson Gaspar
carson at taltos.org
Fri Dec 25 03:51:25 EST 2009
Gert Doering wrote:
> Hi,
>
> On Thu, Dec 24, 2009 at 12:36:37PM +1300, Peter Lambrechtsen wrote:
>> Why aren't you using authorized_keys with a public/private keys.
>> That's what it's there for. Among other reasons.
>
> Unfortunately, some vendors fail to understand this. Like "Cisco". Or
> "Citrix" (who *can* do pubkey auth, but there is no persistant storage
> on the netscalers, so it will only work up to the next reboot).
>
> For the time being, us poor admins have to fall back to nastier
> approaches... like "put passwords into files".
A better approach would be to use Kerberos. Most enterprise vendors like
the ones you mention support GSSAPI auth. Of course some don't :-(
> (Not that "put password into script" is *that* much more insecure than
> "have password-less key on file". If your files can be read by $evil_entity,
> you're toast, in both cases...)
The difference is slightly technical and mostly human behaviour. If an
attacker gets a cleartext password, it is _highly_ likely that password
will work across multiple system domains. If an attacker gets a
cleartext private ssh key, it is likely that will work across a smaller
domain of systems. The RSA/DSA key is also more secure against brute
force attacks. If you have very good password discipline the differences
are relatively small, but I've _rarely_ seen good password discipline in
real life.
--
Carson
More information about the openssh-unix-dev
mailing list