Re: Host equivalence

From: John Brightwell (brightwell_151_at_yahoo.co.uk)
Date: 04/28/03

  • Next message: Greg Wooledge: "Re: non commercial use" 
    Date: Mon, 28 Apr 2003 10:04:36 +0100 (BST)
To: secureshell@securityfocus.com

    On Thu, Apr 24, 2003 at 02:03:34PM +0100, John
    Brightwell wrote:
    > I had in mind that they could use RSA Authentication
    > to authenticate the admin's private key but then (if
    > they're dead keen on transparently moving to other
    > systems) they can somehow cache their key for
    > connecting to other systems.
    >
    > I seem to recall sysadmins at other companies having
    a
    > way of accomplishing this (using eval I think)

    Why not just use a key with a blank passphrase (so it
    doesn't prompt for a
    passphrase at all), and moving the key around to
    systems from which they want
    to be able to log in?

    -roy

    The trouble with the above solution is that the key is
    then unprotected. Anyone that can gain access to the
    machine(s) which hold the key can potentially get the
    key (by booting to an alternate OS and trawling the
    disk). So this provides about the same security as
    using host authentication.

    The advantage with having the key 'cached' is that a
    rebooted client should hopefully lose the cached
    entry. So if anyone manages to compromise the machine
    that is used as a client there's a better chance that
    they won't be able to get to every other machine
    (still not as secure as requiring login at each host
    though).

    It looks like ssh-agent is the way to go (as suggested
    by one of the respondants).

    Sadly, I may be back to square-one because one of the
    sysadmins has informed me that they run multi-host
    backups initiated centrally and using scripts to shut
    down services (such as Oracle) prior to backup. These
    are scheduled and, therefore, cannot be tied to a
    sysadmin's shell (and cached key) :-(

    __________________________________________________
    Yahoo! Plus
    For a better Internet experience
    http://www.yahoo.co.uk/btoffer

  • Next message: Greg Wooledge: "Re: non commercial use"

    Relevant Pages

    • Re: Is it necessary to store the entire MD5, etc. hash for validation?
      ... By moving all the biometric and passphrase ... instead there are faster and cheaper methods of authentication. ... The only reason for the continued usage of these protocols would be in order ...
      (sci.crypt)
    • Re: SSH publickey auth
      ... > The goal of using Identity/Pubkey authentication is to remove the need ... > can prove you have the public and private key then you are granted ... You see here the mention of the "passphrase"? ... > authentication credentials 'follow' you. ...
      (Fedora)
    • Re: wvdial does not connect
      ... You may also want "noccp," as it's clear the peer doesn't implement ... Both Systems use different authentication? ... It is likely to be the incorrectly specified user name and/or ... passphrase that is causing the problem. ...
      (comp.protocols.ppp)
    • Re: lock after failed login attempt with pubkey
      ... login attempts (entering the wrong passphrase). ... is interpreted on the client. ... authentication you enter your passphrase on the client to 'unlock' your ... There's no SSH ...
      (comp.security.ssh)
    • Re: lock after failed login attempt with pubkey
      ... login attempts (entering the wrong passphrase). ... is interpreted on the client. ... authentication you enter your passphrase on the client to 'unlock' your ... There's no SSH ...
      (comp.security.ssh)