[CS-FSLUG] Are ssh shared keys in the wild?

Tim Young Tim.Young at LightSys.org
Wed May 30 15:48:07 CDT 2012

(grin) The only "safe" computer on the Internet is one that has been 
encased in cement and dropped into the deepest part of the ocean (or 
perhaps catapulted into space).

But, that said, using ssh keys does not decrease the security of a 
remote system if they are used properly.  I do this all the time.  
Actually, many people do consider keys preferred over password 
protection.  If you look at your security log on a system that has 
ssh enabled on the standard port, you will probably find a few 
hundred to a few thousand ssh probes (people trying to guess 
passwords on your machine) per day.  Because people often use poor 
passwords, the hackers will often get in.

I probably remove hackers from Linux machines somewhere around 5 
times a year (I service a number of missions).  At the moment, the 
most common vulnerability I see has to do with unpatched web 
services, with the second most common way into the system being poor 

Anyway, I have never seen someone break into a system using ssh keys 
(though if you have a dumb password on your root account, using keys 
will not increase your security unless you disable the password for 
root.  Not a good thing to do.)

The only real issue is that, if you ever have the client compromised 
(the computer from which the key was generated), you need to 
re-generate the key to make a new one, and cancel the key on the 
various servers you may have connected to.  (to cancel the key, 
simply remove it from the authorized_keys file).

SSH keys are incredibly handy.  I like them.  I use them.

     - Tim Young, Field Consultant, LightSys Technology Services

On 5/30/2012 3:24 PM, Mark Clayton wrote:
> Hi,
> I've been using rsnapshot on my lan to backup several linux 
> machines. I've been thinking of adding my web hosting site into the 
> backup scheme. I would need to setup ssh shared keys so rsync can 
> access the account. I've never used shared keys in the open because 
> I don't know the pitfalls. Is this a safe thing to do?
> Thanks,
> Mark Clayton
> --
> claytoncapers.blogspot.com <http://claytoncapers.blogspot.com>
> www.mark-clayton.com <http://www.mark-clayton.com>
> _______________________________________________
> ChristianSource FSLUG mailing list
> Christiansource at ofb.biz
> http://cs.uninetsolutions.com

More information about the Christiansource mailing list