Common Threads: OpenSSH Key Management, part One

forkb0mb.org

Calendar

Back May '13
Mon Tue Wed Thu Fri Sat Sun
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    

Quicksearch

Categories


All categories

Archives

Blog Administration

Open login screen

Common Threads: OpenSSH Key Management, part One

Sunday, January 16. 2011

Common Threads: OpenSSH Key Management, part One

Many of us use the excellent OpenSSH [...] as a secure, encrypted replacement for the venerable telnet and rsh commands. One of OpenSSH's more intriguing features is its ability to authenticate users using the RSA and DSA authentication protocols, which are based on a pair of complementary numerical keys. As one of its main appeals, RSA and DSA authentication promise the capability of establishing connections to remote systems without supplying a password. While this is appealing, new OpenSSH users often configure RSA/DSA the quick and dirty way, resulting in passwordless logins, but opening up a big security hole in the process.

/*
Yet another of the DeveloperWorks! series. I love these articles.

The vulnerability in question has to do with pub-key (RSA/DSA) authentication and leaving a null/blank passphrase on the keypair. This article describes how to configure ssh-agent to cache the decrypted private keys so you only have to type the passphrase once per session. This has the benefit of allowing you to use scripted SSH logins without being prompted for a password, but also means that the keypair is still relatively secure even if someone else manages to compromise them via the filesystem.
*/

OpenSSH's RSA and DSA authentication protocols are based on a pair of specially generated cryptographic keys, called the private key and the public key. The advantage of using these key-based authentication systems is that in many cases, it's possible to establish secure connections without having to manually type in a password.

While the key-based authentication protocols are relatively secure, problems arise when users take certain shortcuts in the name of convenience, without fully understanding their security implications. In this article, we'll take a good look at how to correctly use RSA and DSA authentication protocols without exposing ourselves to any unnecessary security risks. In my next article, I'll show you how to use ssh-agent to cache decrypted private keys, and introduce keychain, an ssh-agent front-end that offers a number of convenience advantages without sacrificing security.

/*
A more in-depth description of what I mentioned above.

Highlights include:
  • What is RSA/DSA authentication?
  • How RSA/DSA keys work
  • Two observations
  • ssh-keygen up close
  • The quick compromise
  • RSA key pair generation
  • RSA public key install
  • DSA key generation
  • DSA public key install

    For those already familiar with ssh-agent(1) - which you should be - then you can skip ahead to Part Two and Part Three.
    */
    • Posted by TJE in Articles, Cryptography/Privacy, IBM DeveloperWorks, Networking, Network Security, News, SSL, Tools at 16:03

    Trackbacks
    Trackback specific URI for this entry

    No Trackbacks

    Comments
    Display comments as (Linear | Threaded)

    No comments

    The author does not allow comments to this entry