Utility to scan for unpassworded SSH privkeys?

Nico Kadel-Garcia nkadel at gmail.com
Sun May 26 01:06:47 EST 2013


On Sat, May 25, 2013 at 7:33 AM, Damien Miller <djm at mindrot.org> wrote:
> On Sat, 25 May 2013, Nico Kadel-Garcia wrote:
>
>> The attitude of "if I can break your window, you shouldn't be even
>> bothered to lock your car" is an unfortunately common one in the
>> security world. Security can be strongly improved by using layers:
>
> Sure, but the layers have to actually offer some security and not
> just the theatre of "we have to do _something_!" Offering a control
> in ssh_config that is trivially bypassed is not giving out users
> security, it's selling them a lie.
>
> Scanning for passwordless keys on a filesystem is fortunately very
> simple, and does have a real benefit.

Except that it can't scan filesystems on people's disconnected
laptops, or their local machines that they propage their keys from but
are in the backup system, nor does it scale well for large
environments, nor environments that use NFSv4 with Kerberized access,
nor environments that auto-mount home directories, nor does it
eliminate the old keys from the backup system, etc., etc. And note
that a file system scan is next to useless for auto-mounted home
directories in most NFS automount configurations, since the wildcard
based mounting of home directories provides no direct hint of what the
mountpoints might be.

You get the idea. It's possible for users who are being cunning to
work around many types of security audit or enforced security
practice. That doesn't make the elementary security policy enforcement
attempts useless, it just means that they help with the low hanging
fruit of poor default security practices.


More information about the openssh-unix-dev mailing list