On Fri, Mar 22, 2013 at 11:50 AM, James Knott <james.knott@rogers.com> wrote:
Greg Freemyer wrote:
That is, with no passphrase used during key generation, is there any security at all once a unauthorized user grabs that file? What is the situation with a passphrase? Assuming the file is encrypted if a passphrase is provided, how well is it encrypted.
How are you planning on getting that file? You could sit down at my desk and copy it. Beyond that, you'd have to break ssh to get past that key requirement or you could try to break OpenVPN, which has a key too. Of course, even if you got that private key, it would only get you access to my own account, not root. To become root, you'd have to know the password. That password is not stored in plain text. It's a hash in /etc/shadow, which is readable only by root and the shadow group. Bottom line, if you managed to get my id_rsa, you'd only have access to files in my own directory.
James, You might want to read a little bit about how a "advanced persistent threat" attack works. They have a typical lifecycle. This is one of the better known diagrams (from Mandiant): http://www.discoveringidentity.com/wp-content/uploads/2013/03/mandiant1.png So if one assumes the first breach is a Java exploit that allows the malware to get outside the sandbox, it could just grab your private key that was created without a passphrase. The private key in turn could be exfiltrated back out to a bad guy. They then try to access your network from the outside via ssh and your private key. If that succeeds, they have gotten pretty far into the lifecycle of the attack. They have user privileges on the same machines you do and they can move laterally around the network. Now they just need a vulnerability that lets them escalate privileges to get root access. At that point they can crawl around your network at will. The average time to find this kind of attack currently is about 9 months and they are being reported routinely. Admittedly, most of the attacks are against windows machines, or maybe it is just the attacks that are being detected! Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org