(rfc) too many keys, usecase?
mouring at eviladmin.org
Fri Apr 15 03:01:48 AEST 2016
Cristian Ionescu-Idbohrn wrote:
> On Thu, 14 Apr 2016, Jakub Jelen wrote:
>> On 04/14/2016 01:19 PM, Cristian Ionescu-Idbohrn wrote:
>>> Yes, I know about MaxAuthTries and I used it as a workaround. Still,
>>> I would imagine the remote server knows there's no point refusing the
>>> slient offered keys one after the other, as none will work. Why then
>>> not telling the client there's no point trying, use password instead?
>> The server knows that there is no point in trying, but the (possibly
>> malicious) client does not know that. And server is trying to tell
>> the client the least possible amount of information (basic rule of
> Right. Still, how much more damage could a malicious client do if it
> ware presented with a password prompt? Is it worth annoying the
> non-malicious clients or push the admin into ticking up MaxAuthTries?
Same argument could be applied to why I bother to present a password
prompt if all the server
accepts only public keys. By not doing it, I reduce the possible attack
service a hacker has to
break into my server. Knowing that keys aren't except for the server
or for an individual user
it leaks information that an attacker can use against me. This is the
same reason why a few
years ago we went through painful effort to stop ssh from short-cutting
out of bad authentications
attempts. Because it leaked a bit of information an attacker could
detect to shift their attack
*shrug* My solution to this "issue" was to stop generating keys with
names. And use something more useful "id_rsa_work" "id_rsa_play" ..
I specify via ~/.ssh/config which key is to be served to a server. As
I honestly never
liked the "throw ssh keys at the server and see which one sticks"
feature of the SSH RFC.
It feels like a lazy way of key administration.
It was great when you are learning, but sucks when you start collecting
ssh keys for different community, work, personal, and friend's servers.
All of them
being completely different so you can keep good isolation habits (e.g.
If I leave a
community I want to do rm -rf .ssh/id_rsa_communityname* and know for a
that I no longer have the key and it improves my confidence that I'm not
to lose it, and thus causing a possible compromise if the community doesn't
do their own due diligence on removing my account or key).
The above also linked with ssh-agent and locking/unlocking ssh keys has
lived for 10+ years now, and have never ran into this problem.
Honestly, it is better to learn to manage your SSH keys properly.
More information about the openssh-unix-dev