Subject: Re: pam, ssh, and pam_ssh
To: None <current-users@NetBSD.org>
From: Alan Barrett <apb@cequrux.com>
List: current-users
Date: 03/14/2005 12:25:48
On Sun, 13 Mar 2005, Christos Zoulas wrote:
> Why is everyone jumping the gun? I just tried it and it works fine for
> me. Can someone explain what the problem is? I commented out all my
> authorized keys entries and sshd did not let me in anymore.

I explained it before.  See
http://mail-index.NetBSD.org/tech-security/2005/02/27/0002.html.

If you don't see the problem from that explanation, then
perhaps this scenario will help.

I have two hosts, laptop and desktop.

desktop is in a secure location.  No untrusted people have physical
access to it.  No untrusted people have root on it.  No backups are
stored in untrusted locations.  No untrusted people even have accounts
on it.

I have an ssh key pair, K_public and K_private.  On my desktop machine,
K_public is listed in ~/.ssh/authorized_keys.  On my laptop machine,
K_private is encrypted using a strong passphrase, and the resulting
copy of E(strong,K_private) is stored in the file system.  On my
desktop machine, K_private is encrypted using a weak passphrase, and
the resulting copy of E(weak,K_private) is stored in the file system.
The copy of E(weak,K_private) is protected by filesystem permissions,
with the intent that only trusted people who have already logged in, or
people with physical access to bypass filesystem permissions, can read
the file in which the key is stored.

In the past, to login to my desktop, I would start on my laptop, use the
strong passphrase to unlock the laptop's copy of E(strong,K_private) to
ssh to the desktop.  Once I was on the desktop, I could use the weak
passphrase to unlock the desktop's copy of E(weak,K_private) to ssh to
anywhere else.  The weak passphrase was never useful to people who did
not already have access to my files on my desktop machine.

In the past, somebody with physical access to my desktop could bypass
filesystem security to steal a copy of E(weak,K_private), and guess
the weak passphrase, and thereby get access to my account.  Similarly,
somebody who could exploit bugs to get access to my account on desktop
could steal a copy of E(weak,K_private).  But I judged the risk of that
to be acceptable.

Now, the weak passphrase allows anybody to login to my desktop machine,
without even having to steal a copy of E(weak,K_private).  This is a
huge break with past tradition.  This totally changes the security model
for SSH private keys.  I do not like this at all.

--apb (Alan Barrett)