On 11/21/05, Wolfgang S. Rupprecht
<wolfgang+gnus200511(a)dailyplanet.dontspam.wsrcc.com> wrote:
The password on the key only protects the private-key from being
casually read by someone with access to the computer. The
private-key-exchange that ssh puts on the wire (eg. on the 'net) has
already had the password stripped from it. All that is used is the
raw 1024-bit key.
As an aside, the password on the file really only prevents a casual
observer from learning the private-key. An attacker that has managed
to grab the password-protected private-key file (by having broken into
the system that has the private key file) can attack the password by
dictionary and guessing attacks. This password protection is no
stronger than would have been had had we used the same password as a
unix-type password login. In fact, since they have the file on their
own computer(s) they can subject it to much faster, more intensive
guessing attacks.
I guess my point is it's another step. Without the public key, they
just brute force dictionary guess. With public key, they have to
obtain the private key. Hopefully, this is hard. But, I see your
point. If getting to the private key is easy, then the password
protecting is just for show.
My feeling is that you can't ever really be sure that a
private-key
file hasn't been compromised. It is best to generate a fresh
private-key public key pair every once in a while. (say 3-12 mos.)
One can even keep the same password protecting the file, the important
thing is that the underlying 1024-bit key is changed.
Hmm... that sounds like a good idea.
What I did here for a while was run what amounts to a simple shell
script that grabbed the IP's of the attacking machines and stuffed
them into an IP-level filter against all traffic from that machine.
This still allowed the attacker to have 5-10 seconds of fun, but life
got really boring for them after that.
That sounds like what the "recent" module in iptables does.
--
Jiann-Ming Su
"I have to decide between two equally frightening options.
If I wanted to do that, I'd vote." --Duckman
"The system's broke, Hank. The election baby has peed in
the bath water. You got to throw 'em both out." --Dale Gribble