[CS-FSLUG] Are ssh shared keys in the wild?
Tim Young
Tim.Young at LightSys.org
Wed May 30 15:48:07 CDT 2012
(grin) The only "safe" computer on the Internet is one that has been
encased in cement and dropped into the deepest part of the ocean (or
perhaps catapulted into space).
But, that said, using ssh keys does not decrease the security of a
remote system if they are used properly. I do this all the time.
Actually, many people do consider keys preferred over password
protection. If you look at your security log on a system that has
ssh enabled on the standard port, you will probably find a few
hundred to a few thousand ssh probes (people trying to guess
passwords on your machine) per day. Because people often use poor
passwords, the hackers will often get in.
I probably remove hackers from Linux machines somewhere around 5
times a year (I service a number of missions). At the moment, the
most common vulnerability I see has to do with unpatched web
services, with the second most common way into the system being poor
passwords.
Anyway, I have never seen someone break into a system using ssh keys
(though if you have a dumb password on your root account, using keys
will not increase your security unless you disable the password for
root. Not a good thing to do.)
The only real issue is that, if you ever have the client compromised
(the computer from which the key was generated), you need to
re-generate the key to make a new one, and cancel the key on the
various servers you may have connected to. (to cancel the key,
simply remove it from the authorized_keys file).
SSH keys are incredibly handy. I like them. I use them.
- Tim Young, Field Consultant, LightSys Technology Services
On 5/30/2012 3:24 PM, Mark Clayton wrote:
>
> Hi,
>
> I've been using rsnapshot on my lan to backup several linux
> machines. I've been thinking of adding my web hosting site into the
> backup scheme. I would need to setup ssh shared keys so rsync can
> access the account. I've never used shared keys in the open because
> I don't know the pitfalls. Is this a safe thing to do?
>
> Thanks,
> Mark Clayton
> --
> claytoncapers.blogspot.com <http://claytoncapers.blogspot.com>
> www.mark-clayton.com <http://www.mark-clayton.com>
>
>
>
>
> _______________________________________________
> ChristianSource FSLUG mailing list
> Christiansource at ofb.biz
> http://cs.uninetsolutions.com
More information about the Christiansource
mailing list