Re: What can a hacker do with a user private key?

• Previous message: _at_: "What can a hacker do with a user private key?"
• In reply to: _at_: "What can a hacker do with a user private key?"
• Next in thread: Doug O'Leary: "Re: What can a hacker do with a user private key?"
• Reply: Doug O'Leary: "Re: What can a hacker do with a user private key?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 19 Nov 2004 09:20:27 -0500

"Richard Lefebvre" <quasiAROBAS(@)videotronPOINT(.)ca> wrote in message
news:fYmnd.58085$De5.698715@wagner.videotron.net...
> Hi,
>
> To repeat the subject line, what can a hacker do with a user private key?
> I can try to control security on my computers, but there is nothing I can
> do about users home computer where they keep their private keys. Also is
> there a difference between openssh and ssh.com implementation in that
> regard.
>
> Note: I know it is not the right forum, but what about gnupg private
> key too?

This is a big problem in NFS environments, where user's tend to leave their
private keys in their home directories and where lazy people tend to set up
password-free keys rather than running an SSH-agent.

If you have someone's private key, you're a big step closer to having access
to their account. If it's a password-free key, you have as much access as if
you had recorded their private password and have access to every machine
that allows key-based access. For a careless admin, this can include root
access to the company servers. Leaving such a password free key is as bad as
putting the user's password on a Post-It note on their monitor.

ssh.com's code and OpenSSH are identical in this regard.

PGP is similar in providing access to being able to encrypt or authenticate
things as if you were that user. But people tend not to leave those without
passwords, so it's usually not quite as easy to steal, and it doesn't
provide the remote access possibilities that SSH keys do.

• Previous message: _at_: "What can a hacker do with a user private key?"
• In reply to: _at_: "What can a hacker do with a user private key?"
• Next in thread: Doug O'Leary: "Re: What can a hacker do with a user private key?"
• Reply: Doug O'Leary: "Re: What can a hacker do with a user private key?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages How secure is ssh? ... We are attempting to explain that putting the same user account (with a ... have the private key for the account -- is a bad idea. ... able to provide some "realistic" numbers on what it would take to crack ... just one openssh private key. ... (comp.security.ssh) Can I set SSH directory different from $HOME/.ssh? ... which is default location for public & private key? ... currently doing is public key authentication on OpenSSH 3.4 & Red Hat ... Because I had pub. key authentication work with test account ... (comp.security.ssh) openssh with puttygened keys problem ... I have a linux server with openssh. ... I added the private key to pageant ... and then connect to the openssh linux server from windows using PuTTY ... debug1: read PEM private key done: type ... (comp.security.ssh) Converting Securecrt private key to unix ... We are using SecureCRT 3.0, 3.1 and 3.2 to ssh to our unix hosts, which run ... OpenSSH 2.9p2 using SSH2 with public and private key pairs. ... (comp.security.ssh) Converting privatekey SSH2 --> OpenSSH ... Bad magic ... When I'm trying to convert a private key in the SSH2 ... format (created by F-Secure SSH) to OpenSSH, ... Importing same key on server B with OpenSSH 4.3p2 ... Mail has the best spam protection around ... (SSH)