OpenSSH daemon security bug?
Aris Adamantiadis
aris.adamantiadis at belnet.be
Thu Jan 7 00:27:17 EST 2010
Jefferson Ogata a écrit :
>
> That is true. But the vast majority of intruders are incompetent.
>
As Michael pointed out, that is not an argument for or against private keys.
> As for your pen-testers, they had to get on the box with the private key
> somehow before they could perform that attack. And they're pen-testers.
That's why I don't encrypt the keys on my harddisk. If I'm owned, I'm
own and that includes the private keys on my computer, be they encrypted
or not. Of course I encrypt the whole hard disk of my laptop to protect
my data, including keys, from laptop theft.
> Have you ever seen this happen in a genuine intrusion?
A pentest is a genuine intrusion, excepted that bad guys usually don't
write a nice report after explaining what they compromised and how they
got in.
Private keys are a nice tool. You can't steal it even if somebody
authenticated on your system with it, and you can't remember it if you
happen to read a dump of the private key on somebody's computer. But the
idea behind it is the same that the password things (It's something you
know, not something you own or something you are).
Aris
More information about the openssh-unix-dev
mailing list