Subject: Re: pam, ssh, and pam_ssh
To: None <current-users@netbsd.org>
From: Christos Zoulas <christos@tac.gw.com>
List: current-users
Date: 03/14/2005 15:36:21
In article <20050314102548.GH27469@apb-laptoy.apb.alt.za>,
Alan Barrett <apb@cequrux.com> wrote:
>On Sun, 13 Mar 2005, Christos Zoulas wrote:
>> Why is everyone jumping the gun? I just tried it and it works fine for
>> me. Can someone explain what the problem is? I commented out all my
>> authorized keys entries and sshd did not let me in anymore.
>
>I explained it before. See
>http://mail-index.NetBSD.org/tech-security/2005/02/27/0002.html.
>
>If you don't see the problem from that explanation, then
>perhaps this scenario will help.
>
>I have two hosts, laptop and desktop.
>
>desktop is in a secure location. No untrusted people have physical
>access to it. No untrusted people have root on it. No backups are
>stored in untrusted locations. No untrusted people even have accounts
>on it.
>
>I have an ssh key pair, K_public and K_private. On my desktop machine,
>K_public is listed in ~/.ssh/authorized_keys. On my laptop machine,
>K_private is encrypted using a strong passphrase, and the resulting
>copy of E(strong,K_private) is stored in the file system. On my
>desktop machine, K_private is encrypted using a weak passphrase, and
>the resulting copy of E(weak,K_private) is stored in the file system.
>The copy of E(weak,K_private) is protected by filesystem permissions,
>with the intent that only trusted people who have already logged in, or
>people with physical access to bypass filesystem permissions, can read
>the file in which the key is stored.
>
>In the past, to login to my desktop, I would start on my laptop, use the
>strong passphrase to unlock the laptop's copy of E(strong,K_private) to
>ssh to the desktop. Once I was on the desktop, I could use the weak
>passphrase to unlock the desktop's copy of E(weak,K_private) to ssh to
>anywhere else. The weak passphrase was never useful to people who did
>not already have access to my files on my desktop machine.
>
>In the past, somebody with physical access to my desktop could bypass
>filesystem security to steal a copy of E(weak,K_private), and guess
>the weak passphrase, and thereby get access to my account. Similarly,
>somebody who could exploit bugs to get access to my account on desktop
>could steal a copy of E(weak,K_private). But I judged the risk of that
>to be acceptable.
>
>Now, the weak passphrase allows anybody to login to my desktop machine,
>without even having to steal a copy of E(weak,K_private). This is a
>huge break with past tradition. This totally changes the security model
>for SSH private keys. I do not like this at all.
Weak == "empty passphrase". Isn't that right? The issue here is with
the pam module, loading the weak key and trying to authenticate with
an empty passphrase. Or am I understanding this incorrectly?
christos