OpenSSH daemon security bug?

Wed Jan 6 06:06:28 EST 2010

----- Original Message ----

> From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
> To: openssh-unix-dev at mindrot.org
> Sent: Tue, January 5, 2010 9:25:26 AM
> Subject: Re: OpenSSH daemon security bug?
> 
> On 01/05/2010 10:21 AM, Mark Janssen wrote:
> > On Tue, Jan 5, 2010 at 4:01 PM, Davi Diaz wrote:
> >> co-worker wrote:
> >>> I am all for encouraging key-based logins, but I think disabling
> >>> password logins completely actually reduces security.
> > 
> > I must agree here, while keys are better then passwords, it's
> > impossible to enforce passphrase quality on keys, while it is possible
> > to enforce some quality on passwords.
> > 
> i don't think you're comparing the same thing, though.  You can make
> sure it's a really really strong password, but it's still *not* possible
> to enforce that your users keep their password safe.
> 
> If you're worried that your users might leave an unprotected key lying
> around, you should *also* be worried that those same users might send
> their password via e-mail (even if it's just "to themselves as a
> reminder"), or write it in a cleartext file on their computer, reuse it
> for their amazon account, for their blog, etc.
> 
> At some level, you have to trust your users if they're going to use your
> system.  And have good backups, easy recovery, and regular user
> education about good practices, of course ;)
> 
>     --dkg

More to the point, password authentication is fundamentally less secure than ssh public key authentication. The comparisons being made here are seemingly getting hung up on the word "password", and supposing that the weakness of one password is the same as the weakness of another. They are not.

The password on a private key helps to protect that private key from being stolen. However, the most often exploited, and hence far greater risks are brute-force/dictionary attacks and password interception. 

Even a passwordless private key has between 768-4096 bits of entropy, which is roughly equivalent to a human-remembered passphrase of between 2000-10,000 characters. Good luck enforcing that password policy! 

And as to interception, private key exchanges never actually send the private key on the wire, instead they rely on a challenge/response using a randomly generated number. (essentially a packet containing a random number is encrypted to a public key, and that encrypted message is sent as the challenge; the client is then forced to decrypt that message to prove that it can decipher that number; if it helps by way of analogy, its like sending somebody a GPG encrypted email and then having them prove they have the key that can decrypt it)

As dkg points out, you have to trust your users not to do stupid things, and more often than not, continue to find yourself disappointed when they do in fact, do stupid things. That said, there is NO case where password authentication is MORE, or even nearly AS secure as private key authentication. Public key authentication mitigates more risk.Period. 