> I believe they are using ssh, and the password was sniffed by a > keystroke sniffer on a developer's machine. > > As for something better than reusable passwords, what would you > recommend? Most developers never get within a thousand miles of the > servers, so anything that requires physical access is out. There is > no budget, so smart card and biometric based systems are out. Public > key systems don't help -- if an attacker can install a keyboard > sniffer, he can copy a private key.
I was thinking public-key (DSA) authentication when I wrote my original message. However, you're correct that if one of the developer machines could be compromised to the point where a keyboard watcher is installed, then the developer's secret key could be compromised by the attacker. Of course, if we used smart cards to store our keys rather than files on disk, life would be much better. But that's a whine for another day. I could argue that using public-key authentication would still be "better" in some sense, since it's marginally harder to steal the passphrase and then grab the key than it is to steal a simple re-usable password. But there's not a huge difference really since the attacker already apparently has root on the developer's box. > Could S/KEY be used here? How would the keys be distributed securely? I don't think S/Key is going to help you if you believe the scenario that a keystroke logger was installed on a developer machine. S/Key uses a shared secret to generate the one-time password string, so if the attacker is able to capture that secret from the developer, then the attacker can impersonate that developer at will. An astute user would notice that somebody was using their S/Key secret (there's decrementing counter used as part of the S/Key challenge), but by then it would be too late. With unlimited budgets, two-factor authentication (token cards) would be the way to go. But even assuming you could get RSA or one of their competitors to donate the software and the keys, you'd still have to have somebody on the Debian project spend time maintaining the system and mailing keys to everybody. Doesn't seem feasible. > If there's a good solution available here, I'm too dumb to see it. Given the scenario that you're describing, I don't see a practical solution for resolving the issue either. I guess you should only allow developers on your project who are good at securing their home machines. :-) -- Hal Pomeranz, Founder/CEO Deer Run Associates [EMAIL PROTECTED] Network Connectivity and Security, Systems Management, Training _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug