You are not logged in.

#1 2009-07-08 01:37:30

sfabius
Member
Registered: 2007-07-07
Posts: 153

Is SSH safer or more vulnerable with password auth?

I've been having a fight with the university IT people about SSH being unsafe because of the possibility of a brute-force password attack. Of course (as I explain to them) there are myriad ways to thwart this, some of which I had already taken before the fight began (only allow a short time to connect successfully, for example). (Although, I haven't been able to figure out if SSH can simply decide to refuse a connection after a certain number of failed passwords, but that's another issue..). On the other hand, I have seen a few sites in my SSH googling that hint that the RSA key authentication is less secure than password authentication.

So, my question I would like to submit for discussion is this: Is a passwordless RSA key authentication more or less secure than password authentication, and why? Or, if you would rather, under what circumstances are each method more vulnerable?

Offline

#2 2009-07-08 01:51:23

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Is SSH safer or more vulnerable with password auth?

I think it really depends on the attack vector you are looking at.

Assuming mutually exclusive for the sake of this discussion (either key-based auth with password login disabled, or password login and key based auth disabled). A password-less ssh key is likely more vulnerable to an endpoint exploit -- as if an attacker has your sshkey without a password, he has access. Password-over-ssh is likely more vulnerable to a server-side exploit -- opens the password-guess vector, and if you aren't paying attention to the 'fingerprint doesn't match' message and someone hijacks your dns, you could attempt to login to a compromised system, thus giving away your password. Key-based auth would fail if they did not have your public key on the compromised server (you would still see the fingerprint difference message though).

You can do things to increase the security of the above vectors, from using a passphrase on your ssh-key and using ssh-agent (so you only have to auth once per session and it simply 'unlocks' your key, and doesn't leave it laying around open)..to using something like knockd or fail2ban on the server side.

------
Personally, I use a passphrase protected ssh key (along with ssh-agent), and disable interactive (password) authentication on my boxes anytime they are exposed to a public network (along with adding root to the denyusers ssh list).

Last edited by cactus (2009-07-08 01:52:11)


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#3 2009-07-11 15:51:14

djszapi
Member
From: Cambridge, United Kingdom
Registered: 2009-06-14
Posts: 1,439
Website

Re: Is SSH safer or more vulnerable with password auth?

I wouldn't use ssh for e.g. git server.

It depends on what you would't like to do.

If you use just one PC permanently, RSA could be better, but upstream, password authentication can be more flexible with a good iptable/fail2bin e.g.

Offline

#4 2009-07-28 10:17:39

quarkup
Member
From: Portugal
Registered: 2008-09-07
Posts: 497
Website

Re: Is SSH safer or more vulnerable with password auth?

I guess it depends on what use will you do with ssh.

if you use too many computers to get ssh access probably password would fit better..



anyway you can get it even more secure using iptables and blocking undesired connections. you got in this wiki article: http://wiki.archlinux.org/index.php/Sim … wall_HOWTO

an example of script which blocks bruteforcing to ssh protocol


basically if a client connects too fast to a SSH port (usually port 22) it will be blocked

Last edited by quarkup (2009-07-28 10:19:57)


If people do not believe that mathematics is simple, it is only because they do not realize how complicated life is.
Simplicity is the ultimate sophistication.

Offline

#5 2009-07-28 11:45:49

brain0
Developer
From: Aachen - Germany
Registered: 2005-01-03
Posts: 1,382

Re: Is SSH safer or more vulnerable with password auth?

From a cryptographic point of view, key authentication is much more secure than passwords. The concept is that you don't give away the private key, but use it to authenticate yourself such that a potential attacker cannot reuse the data you sent (assuming he was able to get a hold of the unencrypted authentication session) to authenticate himself again. At the same time, a password can be reused as often as an attacker wishes, and (contrary to a cryptographically strong private key) could be cracked by brute force.

Once an attacker gets a hold of your private key though, he can authenticate to any server you have your public key on. Even if you have it protected with a passphrase, he might try and crack that by brute force to get to the real key. If you eliminate that scenario by assuming that the machine that stores your private key is impenetrable, there is no computationally feasible way an attacker could log into a server with password authentication disabled.

Offline

#6 2009-07-28 14:09:07

Ashren
Member
From: Denmark
Registered: 2007-06-13
Posts: 1,229
Website

Offline

#7 2009-08-03 13:51:28

Deem3n
Member
Registered: 2009-08-03
Posts: 1

Re: Is SSH safer or more vulnerable with password auth?

Fail2ban will not help.

Usually I use on my servers public-key authentication with PermitRootLogin without-password because it is simple and secure.
Article about securing OpenSSH

Offline

#8 2009-08-05 08:10:27

thisllub
Member
From: Northern NSW Australia
Registered: 2007-12-28
Posts: 231

Re: Is SSH safer or more vulnerable with password auth?

Disabling all root access should be no issue as you can su once logged in.
Nearly all attempts I have seen in logs are looking for existing names including root, presumably as a prel;ude to a brute force attack.
Creating a highly implausible user name then using authorized_keys should be practically more than adequate.

Offline

#9 2009-08-05 10:35:16

jelly
Administrator
From: /dev/null
Registered: 2008-06-10
Posts: 714

Re: Is SSH safer or more vulnerable with password auth?

further preventition :
- set an ip range/ ip's that can login to ssh ( your own pc for example)
-use keys
-disable root acces
-run ssh on a different port

Offline

#10 2009-08-05 10:49:08

fumbles
Member
Registered: 2006-12-22
Posts: 246

Re: Is SSH safer or more vulnerable with password auth?

Keys work better when you are on a box which has greater security than the one you are logging on to. If you don't know about the security of the connecting clients IMHO it's better to use passwords alongside other security methods.

Offline

Board footer

Powered by FluxBB