From owner-freebsd-security@FreeBSD.ORG Thu Feb 4 02:19:47 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D7021065672 for ; Thu, 4 Feb 2010 02:19:47 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id EF1428FC1D for ; Thu, 4 Feb 2010 02:19:46 +0000 (UTC) Received: by strawberry.noncombatant.org (Postfix, from userid 1002) id 8569F31E89F3; Wed, 3 Feb 2010 18:20:10 -0800 (PST) Date: Wed, 3 Feb 2010 18:20:10 -0800 From: Chris Palmer To: freebsd-security@freebsd.org Message-ID: <20100204022010.GL26286@noncombatant.org> References: <20100128182413.GI892@noncombatant.org> <9d972bed1001281324r29b4b93bw9ec5bc522d0e2764@mail.gmail.com> <20100128224022.396588dc@gumby.homeunix.com> <201001282311.o0SNBWp4003678@apollo.backplane.com> <86ock95bls.fsf@ds4.des.no> <201002011824.o11IOxjQ045906@apollo.backplane.com> <86y6jacyxb.fsf@ds4.des.no> <201002031814.o13IEYqk081411@apollo.backplane.com> <86ljfac5ua.fsf@ds4.des.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86ljfac5ua.fsf@ds4.des.no> User-Agent: Mutt/1.4.2.3i Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Feb 2010 02:19:47 -0000 Dag-Erling Sm??rgrav writes: > option to store their keys unencrypted, and there is nothing you can do on > the server side do to prevent them? That's even *less* secure than > passwords. Less secure in certain, but not all, attack scenarios. An attacker with code running on the client (i.e. any code author at all with code on the client running as the user who wants to use the SSH client... sigh) can log right in -- but that class of attacker could also keylog the SSH key passphrase, too. (The problem is worse if you consider local privilege escalaton vulnerabilities, and if the prevalence of those vulnerabilities leads you believe that the fundamental guarantee of a multi-user system cannot hold in practice.) The true value of a passphrase is to stymie attackers who steal the key (perhaps by stealing the laptop) but who don't have their own code running on the client at the time the legitimate owner is using the machine. Full disk encryption is a better, more general approach to that class of threat anyway. On the other hand, an attacker trying an online brute-force password guess against the server still has no hope, without the unprotected key, even if the key is not protected by a passphrase. I don't disagree with any argument that more auth factors is better, of course. But passphrase-less SSH keys are not necessarily the worst thing in the world.