Re: ssh with diskless machines

From: Peter (pk@q-leap.com)
Date: 03/18/03

  • Next message: Greg Wooledge: "Re: single/multi threaded?"
    From: Peter <pk@q-leap.com>
    Date: Tue, 18 Mar 2003 09:48:52 +0100
    To: cjclark@alum.mit.edu
    
    

    Hello,

    thanks for your replies.

    Crist J. Clark writes:
    >
    > If you cannot store a secret on the individual workstations, you are
    > hosed. There just isn't a way to authenticate in this kind of
    > environment without a secret. Giving the workstations host keys via

    but if we do not use hostkey authentication? I mean the hostkey is
    only used if I ssh to that machine, and then it is only checked
    against the key stored in my known_hosts file. As far as I understand
    the problem, if someone wearing a black hat grabs the key
    because it is sent over the network unencrypted (via NFS, DHCP, tftp,
    ...), turns off one of the workstations, uses its ip-address for his
    laptop, plugs his laptop/PDA/.. in our network starts sshd with this
    key, and waits until someone ssh's there, bingo, whoever has logged in
    is caught. Is that the scenario we are talking about?

    > NFS (heck, might as well give them all the same set of keys) just to

    that would be even worse, or does it really not matter?

    > make SSH happy seems like your only option. This is OK as long as you
    > understand what it means, and you can live with that.
    >
    > The good news is that your authentication is no worse than it was
    > under the r-commands. The bad news is that it is no better
    > either. You're still vulnerable to man-in-the-middle attacks, but
    > sniffing and injection attacks are cut out.
    >
    > > The other idea is of course to generate the keys each time a
    > > workstation boots, but that would mean to often edit the known_hosts
    > > file and perhaps use the "StrictHostKeyChecking no" option.
    >
    > And changing the known_hosts file without manually checking that the
    > key is correct is pointless anyway.
    >
    > > Using DHCP does not look like a better idea than NFS, or does it?
    >
    > Huh? You mean passing the keys as a DHCP option? Never thought of
    > that. But no, it's not a better idea. You wouldn't gain anything.

    yes, that's what I ment, sorry for being so unprecise. We even
    thought of using sftp to get the keys, or how about LDAP.

            Peter

    -- 
    Peter Kruse <pk@q-leap.com>
    Q-Leap Networks GmbH
    +497071-703171
    

  • Next message: Greg Wooledge: "Re: single/multi threaded?"

    Relevant Pages

    • Re: ssh with diskless machines
      ... >> environment without a secret. ... Giving the workstations host keys via ... If you don't use hostkey authentication, ... for the e\/1L black hat to spoof the remote server for r-commands. ...
      (SSH)
    • Re: NTLMv2 vs. Kerberos (Sorry about the similarity)
      ... > You would need use something like LC4 or perhaps a network sniffer like ... > Etherreal to capture authentication packets. ... >> and also disable lm hash storage on your domain controllers and even ... >> test this transmission between workstations or workstation and server? ...
      (microsoft.public.win2000.security)
    • 802.1x and Active Directory
      ... We have a wired Network. ... We have a Windows 2000 Active Directory based ... All the workstations have joined the domain. ... looking for is there anyway we can get 802.1x authentication screen ...
      (microsoft.public.internet.radius)
    • Re: Unable to add users to local groups on member workstations
      ... Anyway the network trace I was talking about wasn't a tracert, it was a sniff of the network traffic with netmon or wireshark or something. ... Joe Richards Microsoft MVP Windows Server Directory Services ... Once I fixed DHCP on the Firebox, computer management worked normally on the workstations. ... "Brian P." wrote: ...
      (microsoft.public.windows.server.active_directory)
    • Re: All advice welcome!
      ... enabling basic authentication seems to have solved ... I am a little confused as to why my existing two workstations appear to work ... the integrated windows option to work. ... Since this is a workgroup environment, there is no centralized account ...
      (microsoft.public.inetserver.iis.security)