OpenSSH daemon security bug?

Mark Janssen maniac.nl at gmail.com
Wed Jan 6 02:21:34 EST 2010 

On Tue, Jan 5, 2010 at 4:01 PM, Davi Diaz <davi at leals.com> wrote:
> A co-worker argues we can login using only password to a "ssh-key restricted
> host (PasswordAuthentication no)", without being asked by any passphase; just
> by putting a key (no need to be the private key) on another password-based
> host.
>
> It that true? I do not think so.  I would name that as an "important OpenSSH
> daemon security bug". That is because I think it is not true.

You can only login using keys if the public key is included in the
'authorized_keys' file on the server. The ssh client will read the
private key (passphrased or not, ask for a passphrase if needed (or
read from an agent)).

The server has no way of knowing if the key had a passphrase (was
encrypted), as it never sees the private key. The private key is only
used for authentication/encryption on the client-side.

> co-worker wrote:
>> You cannot distinguish passphrased keys from passphraseless ones.
True (server never sees the key, only the result of computations on
the decrypted key)

> I think the OpenSSH daemon will take care to ask for a key passphrase before
> using a key to open an encrypted channel.
False, the client handles keys

> A ssh key which requires a ssh passphrase to be usable can not be used to open
> a ssh connection if such ssh passphrase is not provided, as it is part of the
> encryption algorithm.
False

> I know we can create ssh keys without passphrases (useful for unattended
> backups, scripts and so on).  However our users will be told not to do that,
> of course, as they are told not to create weak passwords.
>
>
> co-worker wrote:
>> I am all for encouraging key-based logins, but I think disabling
>> password logins completely actually reduces security.

I must agree here, while keys are better then passwords, it's
impossible to enforce passphrase quality on keys, while it is possible
to enforce some quality on passwords.

-- 
Mark Janssen  --  maniac(at)maniac.nl  --  pgp: 0x357D2178 |   ,''`.  |
Unix / Linux Open-Source and Internet Consultant @ Snow.nl |  : :' :  |
Maniac.nl      MarkJanssen.nl      NerdNet.nl      Unix.nl |  `. `'   |
Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet |    `-    |

More information about the openssh-unix-dev mailing list