Re: HEAD's UP: possible 0day SSH exploit in the wild

[Sebastian Posner]

Jim Popovitch wrote:

  ALLOW rules and SSH-keys.
 
 Is there a way to force keys AND passwd verification?

Normally you'd want to DISABLE PasswordAuthentication and 
ChallengeResponseAuthentication - unless you have a special and well-maintained 
setup like e.g. One-Time-Pads or such - because both can potentially be 
brute-forced way faster than SSH-keys..unless you happen to use a key generated 
with one of those funny buggy random-sources from the past, in which case a 
well-maintained sshd nowadays will simply reject your key.

Something that would indeed be interesting is a way to enforce that the PRIVATE 
KEY is password-protected - sadly, you can't see this from the public key, and 
I'm not aware of any possibility to query the client concerning this specific 
matter.

Sebastian
-- 
baboo
-- 
Neu: GMX Doppel-FLAT mit Internet-Flatrate + Telefon-Flatrate
für nur 19,99 Euro/mtl.!* http://portal.gmx.net/de/go/dsl02


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: HEAD's UP: possible 0day SSH exploit in the wild

[Sebastian Posner]

Michael Stone wrote:

[A way to enforce non-empty passwd on ssh-keys]

 You can't, which is why it is useful to have both passwords and keys 
 simultaneously--you can enforce a policy on a password.

To cite Noah Meyerhans from his recent mail - my users would shoot me if I ever 
tried such a thing.
Sadly, I'm not their bossbut they are more or less my customers, so putting a 
security policy in place requiring the previously stated mechanism would be 
more like starting a war than a small skirmish.

Sebastian
-- 
baboo
-- 
Neu: GMX Doppel-FLAT mit Internet-Flatrate + Telefon-Flatrate
für nur 19,99 Euro/mtl.!* http://portal.gmx.net/de/go/dsl02


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org