> I believe they are using ssh, and the password was sniffed by a
> keystroke sniffer on a developer's machine.
>
> As for something better than reusable passwords, what would you
> recommend? Most developers never get within a thousand miles of the
> servers, so anything that requires physical access is out. There is
> no budget, so smart card and biometric based systems are out. Public
> key systems don't help -- if an attacker can install a keyboard
> sniffer, he can copy a private key.
I was thinking public-key (DSA) authentication when I wrote my original
message. However, you're correct that if one of the developer machines
could be compromised to the point where a keyboard watcher is installed,
then the developer's secret key could be compromised by the attacker.
Of course, if we used smart cards to store our keys rather than files
on disk, life would be much better. But that's a whine for another day.
I could argue that using public-key authentication would still be
"better" in some sense, since it's marginally harder to steal the
passphrase and then grab the key than it is to steal a simple
re-usable password. But there's not a huge difference really since
the attacker already apparently has root on the developer's box.
> Could S/KEY be used here? How would the keys be distributed securely?
I don't think S/Key is going to help you if you believe the scenario
that a keystroke logger was installed on a developer machine. S/Key
uses a shared secret to generate the one-time password string, so if
the attacker is able to capture that secret from the developer, then
the attacker can impersonate that developer at will. An astute user
would notice that somebody was using their S/Key secret (there's
decrementing counter used as part of the S/Key challenge), but by
then it would be too late.
With unlimited budgets, two-factor authentication (token cards) would
be the way to go. But even assuming you could get RSA or one of their
competitors to donate the software and the keys, you'd still have to
have somebody on the Debian project spend time maintaining the system
and mailing keys to everybody. Doesn't seem feasible.
> If there's a good solution available here, I'm too dumb to see it.
Given the scenario that you're describing, I don't see a practical
solution for resolving the issue either. I guess you should only
allow developers on your project who are good at securing their home
machines. :-)
--
Hal Pomeranz, Founder/CEO Deer Run Associates [EMAIL PROTECTED]
Network Connectivity and Security, Systems Management, Training
_______________________________________________
EuG-LUG mailing list
[EMAIL PROTECTED]
http://mailman.efn.org/cgi-bin/listinfo/eug-lug
