I like to retain some semblance of optimism for humanity, and so I'm just
going to hope that this assertion is false. I have to hope that there is at
least a large minority of people who correctly use ssh-agent for the suppression
of password prompting, and protect their private keys with passwords.?
-------- Original message --------
From: Dan Kaminsky <dan at doxpara.com>
Date: 05/23/2013 5:39 PM (GMT-08:00)
To: "Dan Mahoney, System Admin" <danm at prime.gushi.org>
Cc: openssh-unix-dev at mindrot.org
Subject: Re: Utility to scan for unpassworded SSH privkeys?
Effectively nobody passphrases their ssh keys.? They're used as a way to
*suppress* password entry in the real world -- use this, and things just work
rather than poking you each time.
Sent from my iPhone
On May 23, 2013, at 5:19 PM, "Dan Mahoney, System Admin" <danm at
prime.gushi.org> wrote:
> Hey all,
>
> Let's make an assumption:
>
> 1) I am a root user on a system.
>
> 2) I don't want said system being used as a jumping-off point if either
a user account or the root account is compromised.
>
> Given an unencrypted private key, plus a known_hosts file, plus
bash_history, it's a pretty easy avenue of attack once you're in the
front door.? And it's happened before*.
>
> Thus, what I'd like to do is (in the spirit of crack's
"nastygram" script), trawl through user .ssh directories and warn
users with insecure keys (or warn root).
>
> I'm shocked I can't find something that does this with a basic
google search.? Debian offers their ssh-vulnkey tool, but that checks for
something different (weak RNG-seeded keys).
>
> Has anyone come across something like this?? Better still, written it?
>
> It seems to me that something like this should be in /contrib, but
that's just me.
>
> My ears are open.
>
> -Dan
>
>
*(http://it.slashdot.org/story/12/11/17/143219/freebsd-project-discloses-security-breach-via-stolen-ssh-key)
> http://threatpost.com/apache-site-hacked-through-ssh-key-compromise-082809/
>
> --
>
> --------Dan Mahoney--------
> Techie,? Sysadmin,? WebGeek
> Gushi on efnet/undernet IRC
> ICQ: 13735144?? AIM: LarpGM
> Site:? http://www.gushi.org
> ---------------------------
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev