[CS-FSLUG] Are ssh shared keys in the wild?
Josiah Ritchie
josiah at josiahritchie.com
Wed May 30 20:19:59 CDT 2012
Why do you say it is a bad idea to disable the root password? I'm
running several ubuntu and redhat-derivative servers. The only time
I've had problems is when someone messes with the sudoers file who
doesn't know what they are doing. Then it's just boot into single user
mode and fix it. In the cases I've had to do that, they ere VMs so it
was possible to do that remotely from the host.
I disable it so that people trying to guess have no chance of
acquiring root access without guessing another user account name.
Tim's pretty smart about such things so now I'm wondering what
disaster I have coming my way.
Another thing I do is use a different SSH key per computer so that if
my laptop gets stolen, it is pretty easy to disable that ssh key
without causing much more trouble. I've been looking at Puppet lately
and found it is pretty simple to automate the setup of the
authorized_keys file for my user account and remove them using this
software. I'm looking forward to digging into this more.
JSR/
On Wed, May 30, 2012 at 4:48 PM, Tim Young <Tim.Young at lightsys.org> wrote:
> (grin) The only "safe" computer on the Internet is one that has been encased
> in cement and dropped into the deepest part of the ocean (or perhaps
> catapulted into space).
>
> But, that said, using ssh keys does not decrease the security of a remote
> system if they are used properly. I do this all the time. Actually, many
> people do consider keys preferred over password protection. If you look at
> your security log on a system that has ssh enabled on the standard port, you
> will probably find a few hundred to a few thousand ssh probes (people trying
> to guess passwords on your machine) per day. Because people often use poor
> passwords, the hackers will often get in.
>
> I probably remove hackers from Linux machines somewhere around 5 times a
> year (I service a number of missions). At the moment, the most common
> vulnerability I see has to do with unpatched web services, with the second
> most common way into the system being poor passwords.
>
> Anyway, I have never seen someone break into a system using ssh keys (though
> if you have a dumb password on your root account, using keys will not
> increase your security unless you disable the password for root. Not a good
> thing to do.)
>
> The only real issue is that, if you ever have the client compromised (the
> computer from which the key was generated), you need to re-generate the key
> to make a new one, and cancel the key on the various servers you may have
> connected to. (to cancel the key, simply remove it from the authorized_keys
> file).
>
> SSH keys are incredibly handy. I like them. I use them.
>
> - Tim Young, Field Consultant, LightSys Technology Services
>
>
> On 5/30/2012 3:24 PM, Mark Clayton wrote:
>>
>>
>> Hi,
>>
>> I've been using rsnapshot on my lan to backup several linux machines. I've
>> been thinking of adding my web hosting site into the backup scheme. I would
>> need to setup ssh shared keys so rsync can access the account. I've never
>> used shared keys in the open because I don't know the pitfalls. Is this a
>> safe thing to do?
>>
>> Thanks,
>> Mark Clayton
>> --
>> claytoncapers.blogspot.com <http://claytoncapers.blogspot.com>
>> www.mark-clayton.com <http://www.mark-clayton.com>
>>
>>
>>
>>
>> _______________________________________________
>> ChristianSource FSLUG mailing list
>> Christiansource at ofb.biz
>> http://cs.uninetsolutions.com
>
>
> _______________________________________________
> ChristianSource FSLUG mailing list
> Christiansource at ofb.biz
> http://cs.uninetsolutions.com
--
http://about.me/josiah
More information about the Christiansource
mailing list