[gentoo-user] Enforcing passphrase protected ssh keys

[gentoo-user] Enforcing passphrase protected ssh keys

[Alan McKinnon]

Hi all,

I think I'm barking up an impossible tree, but it's worth asking.

Scenario:

I have an sshd-enabled jump box catering for 100+ users. They all use ssh keys 
and we ask them all nicely to passphrase-protect the private key and pretend 
that we enforce this. Keys are in use because the admin load of coping with 
passwords isn't worth the effort. Fortunately, I have a security officer who 
is properly clued up and very willing to listen to reason.

My question:

Is there any known way, no matter how convulted and bizarre, of checking and 
enforcing from the server end that a private key is passphrase protected? Our 
own research indicates no. One possible way is to audit the user's client 
machine, but we don't have that level of access (and don't want it either)


-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Enforcing passphrase protected ssh keys

[Jil Larner]

Hello,

You cannot. The reason for this is simple : you can copy as many times
as you wish it your private key in any place. Even if you were able to
check-up that a private key is passphrase-protected, it wouldn't mean
every single copy of that key is protected so. And the interest of the
private key is that only the owners possesses it and hides it; thus you
shouldn't think about a mensual submission of the keyfile to
automatically check it is protected, because it would open a serious
security hole.

I see the problem you face because some time ago, I used
passphrase-protected keys on my usb stick and ones stored on windows,
but I assumed my linux system was secure enough not to need any more
password once logged in. Opinon I revised with time :)

If you generates the keypair for these users, you can protect them with
a complex password, so that lazy users may keep it and learn it (or
write it down...). Fortunately (from my point of view), you do not have
any single point of control on your users' private keyfile. Keeping
their credentials safe is of their responsibilities. Your security
officer probably knows that 80-90% of the security is about educating
people. To sensibilise them is you most efficient measure of control.

Any way I might think about checking the protection of a private key
seems to be a violation of privacy to me, regardless of the technology.
The one step you may act is when generating the key pair. What if you
generate it and transfer it to the user in a secure way, after they
filled a form with the password setting for the key ? This way, as they
chosed the password, they'd remember it and don't need to change it or
remove it, unless they really want to. Against that last case, there's
nothing you can do.

Good luck,
Jil.

Alan McKinnon a écrit :
> Hi all,
> 
> I think I'm barking up an impossible tree, but it's worth asking.
> 
> Scenario:
> 
> I have an sshd-enabled jump box catering for 100+ users. They all use ssh keys 
> and we ask them all nicely to passphrase-protect the private key and pretend 
> that we enforce this. Keys are in use because the admin load of coping with 
> passwords isn't worth the effort. Fortunately, I have a security officer who 
> is properly clued up and very willing to listen to reason.
> 
> My question:
> 
> Is there any known way, no matter how convulted and bizarre, of checking and 
> enforcing from the server end that a private key is passphrase protected? Our 
> own research indicates no. One possible way is to audit the user's client 
> machine, but we don't have that level of access (and don't want it either)
> 
> 

Re: [gentoo-user] Enforcing passphrase protected ssh keys

[Alan McKinnon]

On Wednesday 17 September 2008 13:16:57 Jil Larner wrote:
> Hello,
>
> You cannot. The reason for this is simple : you can copy as many times
> as you wish it your private key in any place. Even if you were able to
> check-up that a private key is passphrase-protected, it wouldn't mean
> every single copy of that key is protected so. And the interest of the
> private key is that only the owners possesses it and hides it; thus you
> shouldn't think about a mensual submission of the keyfile to
> automatically check it is protected, because it would open a serious
> security hole.

Agreed. The hole I would like to close (or make smaller) is that the key is 
the main security between the user's desktop machine and the core routers on 
my network. We originally switched to ssh keys because users will gladly 
share passwords with each other without regard for consequences, and the 
administration of this is a nightmare.

Keys make for better security, but I would like it to be even better. I also 
want to have my facts 100% straight - if I tell my boss "it can't be done" I 
like to show research to back it up. There's nothing worse than saying 
something can't be done, and someone else in the room immediately says how it 
can be done ... :-)



-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Enforcing passphrase protected ssh keys

[Robert Bridge]

[-- Attachment #1: Type: text/plain, Size: 1501 bytes --]

On Wed, 17 Sep 2008 14:21:41 +0200
Alan McKinnon <alan.mckinnon@gmail.com> wrote:

> On Wednesday 17 September 2008 13:16:57 Jil Larner wrote:
> > Hello,
> >
> > You cannot. The reason for this is simple : you can copy as many
> > times as you wish it your private key in any place. Even if you
> > were able to check-up that a private key is passphrase-protected,
> > it wouldn't mean every single copy of that key is protected so. And
> > the interest of the private key is that only the owners possesses
> > it and hides it; thus you shouldn't think about a mensual
> > submission of the keyfile to automatically check it is protected,
> > because it would open a serious security hole.
> 
> Agreed. The hole I would like to close (or make smaller) is that the
> key is the main security between the user's desktop machine and the
> core routers on my network. We originally switched to ssh keys
> because users will gladly share passwords with each other without
> regard for consequences, and the administration of this is a
> nightmare.
> 
> Keys make for better security, but I would like it to be even better.
> I also want to have my facts 100% straight - if I tell my boss "it
> can't be done" I like to show research to back it up. There's nothing
> worse than saying something can't be done, and someone else in the
> room immediately says how it can be done ... :-)

You could use keys AND passwords for the SSH. It should be trivial to
set PAM up for it...

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Enforcing passphrase protected ssh keys

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 543 bytes --]

Am Mittwoch 17 September 2008 14:26:50 schrieb ext Robert Bridge:

> You could use keys AND passwords for the SSH. It should be trivial to
> set PAM up for it...

And even kerberos auth.

Bye...

	Dirk
-- 
Dirk Heinrichs          | Tel:  +49 (0)162 234 3408
Configuration Manager   | Fax:  +49 (0)211 47068 111
Capgemini Deutschland   | Mail: dirk.heinrichs@capgemini.com
Wanheimerstraße 68      | Web:  http://www.capgemini.com
D-40468 Düsseldorf      | ICQ#: 110037733
GPG Public Key C2E467BB | Keyserver: wwwkeys.pgp.net


[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Enforcing passphrase protected ssh keys

[Alan McKinnon]

On Wednesday 17 September 2008 14:26:50 Robert Bridge wrote:
> > Keys make for better security, but I would like it to be even better.
> > I also want to have my facts 100% straight - if I tell my boss "it
> > can't be done" I like to show research to back it up. There's nothing
> > worse than saying something can't be done, and someone else in the
> > room immediately says how it can be done ... :-)
>
> You could use keys AND passwords for the SSH. It should be trivial to
> set PAM up for it...

I had thought of that, but I'm shying away from it - the admin load of 
supporting that many user passwords is crippling. The users forget their 
passwords or share them and write them on stciky notes...

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Enforcing passphrase protected ssh keys

[Heiko Wundram]

Am Wednesday 17 September 2008 15:04:19 schrieb Alan McKinnon:
> I had thought of that, but I'm shying away from it - the admin load of
> supporting that many user passwords is crippling. The users forget their
> passwords or share them and write them on stciky notes...

What about one-time-passwords? In addition to a user-supplied SSH-key (whether 
encrypted or not)? There's J2ME-software (i.e., installable on pretty much 
any "normal" mobile phone) to compute OTPs for users, so you don't even need 
additional hardware such as RSA-Tokens, and there's no (noticeable) 
administration-overhead.

Some intro on this which I just found on google which uses opie:

http://www.heise-online.co.uk/security/One-time-passwords-for-home-users--/features/88570

-- 
Heiko Wundram