OpenSSH daemon security bug?
Davi Diaz
davi at leals.com
Wed Jan 6 21:39:03 EST 2010
Aris Adamantiadis wrote:
> Jefferson Ogata a écrit :
> > I'm not lucky. If you've seen someone steal a key *and* a passphrase and
> > use it, you're the lucky/unlucky one. I've been doing incident response
> > for over 10 years and I've never seen that happen.
>
> I've got feedback of pentesters actually doing that almost each time
> they do a pentest and succed. Either they compromise the private keys by
> stealing the password (keypress sniffer, console sniffer, ...) or by
> fetching the decrypted key in the user agent.
>
> Encrypted key files are a layer of protection but they can't stop a
> competent intruder who can sit down and wait until you actually use
> your key.
However password-account based access can not avoid keypress sniffer, console
sniffer, ... neither.
More information about the openssh-unix-dev
mailing list