OpenSSH daemon security bug?
Davi Diaz
davi at leals.com
Wed Jan 6 02:01:11 EST 2010
A co-worker argues we can login using only password to a "ssh-key restricted
host (PasswordAuthentication no)", without being asked by any passphase; just
by putting a key (no need to be the private key) on another password-based
host.
It that true? I do not think so. I would name that as an "important OpenSSH
daemon security bug". That is because I think it is not true.
co-worker wrote:
> You cannot distinguish passphrased keys from passphraseless ones.
I think the OpenSSH daemon will take care to ask for a key passphrase before
using a key to open an encrypted channel.
A ssh key which requires a ssh passphrase to be usable can not be used to open
a ssh connection if such ssh passphrase is not provided, as it is part of the
encryption algorithm.
I know we can create ssh keys without passphrases (useful for unattended
backups, scripts and so on). However our users will be told not to do that,
of course, as they are told not to create weak passwords.
co-worker wrote:
> I am all for encouraging key-based logins, but I think disabling
> password logins completely actually reduces security.
Of course I disagree because I think such "OpenSSH daemon security bug" is not
a true story. It is a false one.
What do you think?
More information about the openssh-unix-dev
mailing list