From: Jakob U. <jak...@gm...> - 2013-07-24 07:11:20
|
On 24.07.2013 07:22, Alkis Georgopoulos wrote: > If my assumption above is true, that a leaked ssh server private key > means that the ssh connections are no longer private, then this applies > to key-based authentication as well. > Ok, thanks for the clarification! After the Debian weak key issue (the private keys were predictable), they did warn about the issue you describe: http://wiki.debian.org/SSLkeys#End_User_Summary > Note that this last point means that passwords transmitted over ssh to > a server with a weak dsa server key could be compromised too [...] > This is due to an 'attack' on DSA that allows the secret key to be > found if the nonce used in the signature is known or reused. However, this seems to be limited to DSA keys. These are no longer used nowadays because of security issues like this. With RSA, the sessions should be protected using a random per-session key exchanged using diffie-hellmann that does not depend on the private key for its security. I will try to find a definitive source for that and follow-up here. > One other possible implementation that I was thinking of, would be to > use some values that are unique for each client as the random seed for > the ssh private keys. > For example, the client MAC, its output of `dmidecode` etc. > Then the LTSP client ssh server host keys would always be the same, and > the sysadmin would only need to trust them once. This is a very good idea! Has to be done carefully, though, to make the key unpredictable enough. Best regards, Jakob |