OpenSSH daemon security bug?

Aris Adamantiadis aris.adamantiadis at belnet.be
Wed Jan 6 02:41:21 EST 2010


Hello,

Password authentication and password-protected keys are two different
things. Using password-protected keys, the decryption of the private key
is done on client side (to protect the confidentiality of the key), and
there is nothing in the SSH protocol which could stop the behavior of
accepting "less secure keys because they were stored in clear". It's not
less secure than writing the utterly complex password in a clear text
file because you can't remember it.

So the quote from your coworker
>> You cannot distinguish passphrased keys from passphraseless ones.
Is true.
>> I am all for encouraging key-based logins, but I think disabling
>> password logins completely actually reduces security.
Possibly, especially when you need to authenticate from a host whose
security is not known (cyber-café, friends station, ...). A OTP or
2-factor authentication is preferred.

Regards,

Aris

Davi Diaz a écrit :
> A co-worker argues we can login using only password to a "ssh-key restricted
> host (PasswordAuthentication no)", without being asked by any passphase; just 
> by putting a key (no need to be the private key) on another password-based 
> host.
> 
> It that true? I do not think so.  I would name that as an "important OpenSSH 
> daemon security bug". That is because I think it is not true.
> 
> 
> co-worker wrote:
>> You cannot distinguish passphrased keys from passphraseless ones.
> 
> I think the OpenSSH daemon will take care to ask for a key passphrase before 
> using a key to open an encrypted channel.
> 
> A ssh key which requires a ssh passphrase to be usable can not be used to open 
> a ssh connection if such ssh passphrase is not provided, as it is part of the 
> encryption algorithm.
> 
> I know we can create ssh keys without passphrases (useful for unattended 
> backups, scripts and so on).  However our users will be told not to do that, 
> of course, as they are told not to create weak passwords.
> 
> 
> co-worker wrote:
>> I am all for encouraging key-based logins, but I think disabling
>> password logins completely actually reduces security.
> 
> Of course I disagree because I think such "OpenSSH daemon security bug" is not 
> a true story.  It is a false one.
> 
> What do you think?
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 

-- 
Aris Adamantiadis
--
BELNET, Customer Relations
Technical Advisor
t: ++32 2 790 33 33
Dept: customer at belnet.be
Contact: http://www.belnet.be/contact.html



More information about the openssh-unix-dev mailing list