Mailinglist Archive: opensuse-security (138 mails)

< Previous Next >
Re: [suse-security] Re: Re: Why Install Telnet by Default?
  • From: Steve Beattie <steve@xxxxxxxxxxx>
  • Date: Fri, 9 Dec 2005 00:06:33 -0800
  • Message-id: <20051209080633.GA9384@xxxxxxxxxxx>
On Thu, Dec 08, 2005 at 10:38:45PM -0800, Randall R Schulz wrote:
> Henning,
>
> On Thursday 08 December 2005 22:18, Henning Hucke wrote:
> > On Thu, 8 Dec 2005, Randall R Schulz wrote:
> > > [...]
> > > I'm surprised so many very security-conscious people think that
> > > passwordless is such a good thing. Now you've made physical access
> > > to your computer all that is required to gain access to all the
> > > other hosts for which you've set up passwordless access. What's
> > > more, from the perspective of the administrators of those systems,
> > > it's you who has accessed their resources and you'll get the blame,
> > > at least initially, for any malicious actions.
> >
> > Erm... Passwordless access to the other computers implies in the case
> > of SSH that you first enable the necessary keys with your passphrase
> > for your session. And even this you can cut down to the need to
> > /regularly/ reauthenticate.
>
> E.g., my office mate has passwordless access set up for all the hosts he
> regularly accesses (my company has literally thousands of hosts, of
> which we need to interact with dozens, if not hundreds, on a fairly
> regular basis).
>
> All I have to do is walk over to his desk, say, when he goes to lunch,
> and do things that no one can readily tell were not done by him.

Note that if you leave an ssh or telnet session open to a remote host
and leave for lunch, regardless of how you authenticated, someone can
do the same to the remote host.

Assuming he's using ssh-agent and not passwordless keys, your colleague
has a couple of options available to him, if he's willing to look at the
ssh-add manpage. You may wish to introduce him to "ssh-add -D", which he
can run before leaving for lunch to delete all identities currently stored
in the agent. Once he returns from lunch, he can then ssh-add them back.

Alternatively, he can do 'ssh-add -x' to lock the agent with password,
and 'ssh-add -X" with the same password to unlock it again. He can also
use a timeout via ssh-add -t <time>.

If he's using passwordless keys; well, ssh-agent(1) and ssh-add(1) are your
friends.

--
Steve Beattie
SUSE Labs, Novell Inc.
<sbeattie@xxxxxxx>
http://NxNW.org/~steve/
< Previous Next >