Date: Thu, 10 Dec 2015 20:55:52 +0100 From: Terje Elde <terje@elde.net> To: Matthew Seaman <matthew@FreeBSD.org> Cc: freebsd-questions@freebsd.org Subject: Re: best practice for locking down private jail? Message-ID: <B47F1A5D-AD1D-4A4C-AF63-5CF1C896E0A7@elde.net> In-Reply-To: <565FFBDF.40907@FreeBSD.org> References: <CACcSE1yQO8AjW9rpY%2Bd2p1-ArPbO4qKV0zcaCMyRhYEWLOpQGA@mail.gmail.com> <CACcSE1yqeXqd=mLJ-=aJGr0hXcUEE0v3MeiAty6e4cgpWF7D8g@mail.gmail.com> <20151203083926.72ad74db.freebsd@edvax.de> <565FFBDF.40907@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 03 Dec 2015, at 09:22, Matthew Seaman <matthew@FreeBSD.org> wrote: >=20 > Keys *and* a password doesn't offer any additional security over just > keys alone. Actually, that's not true.=20 It's a fairly common thought, since both are key+password, but there's a ver= y real difference; online vs. offline.=20 If you have an encrypted ssh private key, you can try to brute-force the pas= sword as much as you'd like, in the comfort of your own home.=20 The password on the server though, would have to be tried against the server= , leaving logs, possibly getting your IP firewalled, and alerting admin.=20 This is also where it gets interesting; if you check key before password, so= meone uses the key but fails at the password a mere 3 times, you could revok= e the key, and lock up the user.=20 That's what I'd call a pretty significant boost in security.=20 (Granted, the last part of that would perhaps require some scripting) And your point isn't completely without merit. For a lot of cases it doesn't= matter; if the key is compromised because someone got access to the system w= hile in use (as opposed to say, theft, DHS etc), there's a good chance the a= ttacker could keylog the passphrase, at which point most of this would be mo= ot.=20 To sum up; for some attackers/scenarios, it can boost security significantly= , for others it hardly matters. For most, it's probably better to just go wi= th keys, or take another step up and look at 2FA, or moving SSH keys to hard= ware (smartcard, yubikey...) I'm not suggesting everyone run out and set passwords, not adopt anything I m= ention here, my point is just that there's a difference between encrypted ke= y and key+password, and the difference can be leveraged for gain where appro= priate.=20 Oh, and final note; there's some possible fun to be had here if anyone is in= a scripting mood, such as setting up a system to revoke SSH-keys to ALL mac= hines, if key works but password fails on ANY, if key is successfully used f= rom a non-whitelisted IP, and so on. Later SSHs have some CA-infrastructure,= ink. ability to distribute revocation-lists. That opens up to being able to= keep revocation ready at hand, and distributing only after its needed.=20 Terje
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B47F1A5D-AD1D-4A4C-AF63-5CF1C896E0A7>