OpenSSH daemon security bug?
Aris Adamantiadis
aris.adamantiadis at belnet.be
Wed Jan 6 21:21:27 EST 2010
Jefferson Ogata a écrit :
>
> I'm not lucky. If you've seen someone steal a key *and* a passphrase and
> use it, you're the lucky/unlucky one. I've been doing incident response
> for over 10 years and I've never seen that happen.
I've got feedback of pentesters actually doing that almost each time
they do a pentest and succed. Either they compromise the private keys by
stealing the password (keypress sniffer, console sniffer, ...) or by
fetching the decrypted key in the user agent. Encrypted key files are a
layer of protection but they can't stop a competent intruder who can sit
down and wait until you actually use your key.
Aris
More information about the openssh-unix-dev
mailing list