OpenSSH daemon security bug?
Michael Stone
mstone at mathom.us
Wed Jan 6 07:37:40 EST 2010
On Tue, Jan 05, 2010 at 07:25:03PM +0000, Jefferson Ogata wrote:
>For what it's worth, as an incident handler, I've witnessed a lot of
>cases of password guessing against sshd in my days. I haven't seen a
>single instance of someone stealing a passphrased pubkey and using that,
Consider yourself lucky. :-) Next question: how strong were the guessed
passwords? (Rhetorical; you note later down that they were generally the
result of someone doing something dumb. Note that the facilities to
centralize and enforce password policy are fairly common--how do you
prevent that same admin from doing something dumb with the key "just
temporarily"?)
>let alone discovering the passphrase on a key; the only compromises I've
>seen that involve pubkeys are intruders using an unpassphrased key from
>the system on which it resides to get to a related system, generally by
>consulting .ssh/known_hosts.
Yup, that would be it.
>Of course, attacks against pubkeys are
>possible, but they almost never happen.
*OF COURSE* nobody is attacking the keys cryptographically, that's not
the weak link.
Mike Stone
More information about the openssh-unix-dev
mailing list