host authentication or ssh-agent - what's more secure?
From: Bright (brightwell_151@yahoo.co.uk)
Date: 04/24/03
- Next message: TJ: "ssh port forward connection refused"
- Previous message: Dimitri Maziuk: "Re: SSH and remote commands"
- Next in thread: Neil W Rickert: "Re: host authentication or ssh-agent - what's more secure?"
- Reply: Neil W Rickert: "Re: host authentication or ssh-agent - what's more secure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: brightwell_151@yahoo.co.uk (Bright) Date: 24 Apr 2003 09:43:19 -0700
Dear all
I'm looking for feedback on which is the better method for securing
access to unix systems while at the same time not making it too
uncomfortable for people to switch between servers.
I'm assuming that we are using ssh (hence the email to this forum)
Option 1
Authentication based on host Private/public key pair (the server
checks it's "known_hosts" file in order to allow access)
The security is based upon the initial login to a "trusted" host being
properly authenticated - RSA Authentication or perhaps password (maybe
even SecureID token). Anyone who has successfully logged onto this
machine is assumed to be authenticated by other servers of the same
equivalence.
Note: The system that I've seen uses netgroup and NIS to rationalise
the equivalent systems and users (this is a concenr as NIS is not
particularly secure)
Problems:
If someone gains physical access to a "trusted" server they may be
able to obtain root privileges (i.e. booting the system from an
alternate media and changing the password file). They can thereby gain
equivalent access on other systems.
As is mentioned above - if the equivalence is determined by files
distributed via NIS then it's not inconceivable that the same
compromised system can be used to send spoofed NIS maps to ensure it
has access to any system it so desires.
If a service on one of the servers is vulnerable to exploit (e.g.
buffer overflow) then equivalent access is gained to the associated
group of servers. This would allow a worm to propagate
Advantages:
All the security is server based and relatively easy to supervise.
Option 2 ssh-agent
Many terminal access applications and X-Servers (PuTTY and I think
eXceed) allow a key to be cached after authentication. This allows the
user to authenticate locally to the application and thereafter login
transparently to any servers that include that key in their
authoorized_hosts file.
Problems:
This relies upon the security of the application and the host upon
which it resides.
The security measures implemented at the desktop are harder to
supervise.
Advantages:
As long as users are in the habit of logging out of their machine (or
if the agent is set to expire after a given period) then it is
difficult for an out of hours attack to take place. The risk is then
limited somewhat to internal users.
Network listening services will not have their credentials cached so a
vulnerable service will not allow a worm to propagate (other than
through similar vulnerable services)
Having transcribed the above I've pretty much convinced myself that
the 2nd option is the more secure (although I shudder at relying on a
PC for security)
what do you all think?
- Next message: TJ: "ssh port forward connection refused"
- Previous message: Dimitri Maziuk: "Re: SSH and remote commands"
- Next in thread: Neil W Rickert: "Re: host authentication or ssh-agent - what's more secure?"
- Reply: Neil W Rickert: "Re: host authentication or ssh-agent - what's more secure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
