ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn McAllister <gl...@somanetworks.com>
Subject Re: Using Ant with SSH
Date Thu, 26 Jul 2001 19:47:39 GMT
"healey, alex" wrote:

> >Naah. If you use public/private key system you never have to enter a
> >passphrase ... ever ;) I don't even know my passwords on most systems I
> have
> >accounts on because I don't need it ;)
>
> Surely this means it is insecure or you are assuming total physical
> security of your computer (so that it is safe to store you full
> credentials there). All PKI systems I have used require both physical
> "key" (disk, card, or hard drive files) and a password / passphrase
> otherwise they aren't secure as there is nothing to stop anyone using
> your computer to impersonate you.
>
> Maybe I am missing something.

Nope, you aren't really.  A full blow PKI system typically requires at
least two factor authentication: "something you have," and "something you
know".  In the case of your physical "key", its the something you have.
Well, actually its the private key on the "card," not the card itself.  The
something you know is the passphrase.  The third factor is "what you are,"
which typically implies biometrics.  Most systems don't go that far.

In the case of SSH, its really more of a single factor authentication.  The
assumption is that your account on the machine is secure.  If an intruder
has root, there isn't a lot you can do (well, using tripwire and snort are
two very good starts) other than redo your keys once you've hardened your
system and kicked the intruder out.

If someone has compromised another computer you log into with SSH, it
doesn't really matter much from your perspective; all they've got is your
public key.  They need your private key to authenticate to the SSH server
(i.e., impersonate you).

If I've messed any of that description up, I'm sure a security expert
(which I am most certainly not) will point it out. :-)

Glenn McAllister
SOMA Networks, Inc.

Mime
View raw message