SSH authentication bypass?
Tom Buskey
tom at buskey.name
Fri Jun 27 08:58:53 EDT 2014
On Thu, Jun 26, 2014 at 5:21 PM, Joshua Judson Rosen <rozzin at geekspace.com>
wrote:
> Tom Buskey <tom at buskey.name> writes:
> >
> > On Wed, Jun 25, 2014 at 12:08 PM, Joshua Judson Rosen <
> rozzin at geekspace.com>
> > wrote:
> >
> > > *AHA*--found the answer:
> > >
> > > http://article.gmane.org/gmane.network.openssh.general/7446
> > >
> > > OpenSSH implements "none" auth by trying to authenticate
> > > with an empty password.
> [...]
> > I've created passwordless SSH keys. That turns it into having a shared
> > secret with is better then a blank password IMO.
>
> It's certainly better for some things. Probably even most things.
>
> But if I've already got, for example, the `login shell' on the server
> doing its own challenge/response authentication over the encrypted link,
> using a one-time password that's with established non-electronic
> distribution channel (so none-auth'ing into the account over SSH
> doesn't get you an actual shell or anything directly useful, just a
> ('nother) password prompt)..., then having to also set up a
> distribution- channel for SSH keys is a hassle that doesn't necessarily
> provide any benefit.
>
Sure. Also, if you care about SSH keys expiring, locking out, etc then you
have to roll your own methods because an SSH key is essentialy a password
that never expires. If you use LDAP/AD or something else, login/password
auth handles that. It's a hidden security issue with SSH keys.
>
> There's a parallel here to the way `secure logins' for the vast majority
> of websites work: all of the traffic is encrypted via SSL, but the SSL
> layer isn't itself acting as a barrier to the client authenticating; SSL
> is just a transport, and something on the other side of the SSL link
> manages authentication. It's *possible* to have the SSL layer actually
> take responsibility for authenticating the client via an x.509
> certificate (which is mostly analogous to an SSH pubkey, for this
> discussion); I've used a few services that do that. But can you imagine
> if Amazon, GMail, Facebook, Twitter, and every other site that requires
> a login did that? On top of also requiring a username/password login?
>
> --
> "'tis an ill wind that blows no minds."
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20140627/41654764/attachment-0001.html
More information about the gnhlug-discuss
mailing list