Re: ssh-decrypt

To:	Darren Tucker <dtucker@zip.com.au>
Subject:	Re: ssh-decrypt
From:	Pawel Krupinski <pak76_ml@yahoo.co.uk>
Date:	Fri, 17 Nov 2006 08:55:56 +0000 (GMT)
Cc:	openssh-unix-dev@mindrot.org
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	openssh-unix-dev-list1@securepoint.com
Delivered-to:	openssh-unix-dev-tmda@mindrot.org
Delivered-to:	openssh-unix-dev@mindrot.org
In-reply-to:	<455CE5EF.9080407@zip.com.au>
List-archive:	<http://lists.mindrot.org/pipermail/openssh-unix-dev>
List-help:	<mailto:openssh-unix-dev-request@mindrot.org?subject=help>
List-id:	Development of portable OpenSSH <openssh-unix-dev.mindrot.org>
List-post:	<mailto:openssh-unix-dev@mindrot.org>
List-subscribe:	<http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>, <mailto:openssh-unix-dev-request@mindrot.org?subject=subscribe>
List-unsubscribe:	<http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>, <mailto:openssh-unix-dev-request@mindrot.org?subject=unsubscribe>
Sender:	openssh-unix-dev-bounces+openssh-unix-dev-list1=securepoint.com@mindrot.org

> Don't forget that the agent functionality is
> available on any host that 
> you have logged onto with agent forwarding enabled,
> so anyone 
> controlling any one of those hosts can use your
> agent to decrypt your stuff.

Thanks for pointing it out. There are several things
that mitigate (to certain extent) this risk:
1. One of the important features of the password safe
(as I call it) I have in mind will be accountability,
so I can say who, when and which secret was accessed.
2. In the enterprise envrionment, we have control over
each and every box where ssh agent will run on (we
don't allow out-going ssh connections).
3. Most of the root operations are done via sudo. In
cases where someone requires root logon, we are
logging all his operations.
4. All above will generate logs. We want to have log
correlation tuned up to pick up activities where an
administrator abused his rights. 

It is not 100% secure, but still better then scrambled
passwords.

Cheers,
- pak76
--- Darren Tucker <dtucker@zip.com.au> wrote:

> Pawel Krupinski wrote:
> > One of the problems we are facing is secure
> storage of
> > passwords (database, bestcrypt, other
> > applications/systems, ?) and availability within
> [...]
> > I'm using ssh agent currently just to manage my
> keys
> > and practically they are used only to provide me
> with
> > SSO to other ssh based systems. Why not use these
> keys
> > (or a separate ssh key pair) to protect passwords
> to
> > things such as database? 
> 
> Don't forget that the agent functionality is
> available on any host that 
> you have logged onto with agent forwarding enabled,
> so anyone 
> controlling any one of those hosts can use your
> agent to decrypt your stuff.
> 
> -- 
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9
> C982 80C7 8FF4 FA69
>      Good judgement comes with experience.
> Unfortunately, the experience
> usually comes from bad judgement.
> 

___________________________________________________________ 
Try the all-new Yahoo! Mail. "The New Version is radically easier to use" ? The 
Wall Street Journal 
http://uk.docs.yahoo.com/nowyoucan.html
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

<Prev in Thread]	Current Thread	[Next in Thread>
ssh-decrypt, Pawel Krupinski Re: ssh-decrypt, Jason Re: ssh-decrypt, Pawel Krupinski Re: ssh-decrypt, Darren Tucker Re: ssh-decrypt, Pawel Krupinski <=

Previous by Date:	Re: ssh-decrypt, Darren Tucker
Next by Date:	Re: OpenSSH Certkey (PKI), Andre Oppermann
Previous by Thread:	Re: ssh-decrypt, Darren Tucker
Indexes:	[Date] [Thread] [Top] [All Lists]