tech-security: Re: ssh - are you nuts?!?

Subject: Re: ssh - are you nuts?!?
To: None <opentrax@email.com>
From: Chris Jones <chris@cjones.org>
List: tech-security
Date: 12/20/2000 09:41:50
opentrax@email.com writes:

> On 17 Dec, Chris Jones wrote:
> > opentrax@email.com writes:
> > 
> >> Are there any more features that might make SSH valuable?
> > 
> > Password-less login.  I can type my passphrase once, and for the
> > remainder of the life of the login session or shell, I can ssh "for
> > free" into certain machines.
> > 
> > This is also dangerous, of course; it's easy for me to forget and
> > leave my terminal, which theoretically makes a whole batch of
> > computers vulnerable, not just one.  To help address this, I've been
> > thinking for some time about adding a locking IOCTL that prevents
> > virtual console switching -- that way, I can just run xlock or lock,
> > and I can feel pretty safe leaving my terminal.  As always, of course,
> > I haven't had time to do any coding on this.
> > 
> Your point on vulnerability seems to indicate that a feature then
> requires a fix. Which might require a feature, that in turn would
> require a fix..... seems messy to me. Do you agree?

Not quite as involved as that, in this case.  In fact, I think
security isn't ever going to work unless users think about security;
no matter how good your security system is, a sufficiently thoughtless
or malicious user can compromise it.

In this case, I could fix the problem by never logging in on more than
once virtual console -- that way, when I lock the console I'm on,
nobody can sit down and switch to a different login session of mine,
where they can grab my RSA key.  Alternatively, I could just always
remember, when I leave my computer, to lock each virtual console; that
would be just as effective.

What I'm suggesting, though, is a fix that makes it a little easier
for me to remember all this:  I'd like to be able to just run lock or
xlock in one place (or have xautolock run, if I forget), and let the
software lock all those terminals for me.

IMHO, the take-home message is this:  Software's no substitute for
thought, but it can take a few things off your mind.

Chris

-- 
----------------------------------------------------- chris@cjones.org
Chris Jones                                           Mad scientist at large