LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-29-2008, 10:25 AM   #1
Kissell
LQ Newbie
 
Registered: Dec 2008
Posts: 1

Rep: Reputation: 0
Public/Private Key Pairs


So, I setup an RSA public/private key pair for my brother to login to my machine from over the internet using SSH...

But I'm curious how important it is that he protect his private key... what if someone else grabs his private key from his computer? It requires a passphrase, so is it safe even if a hacker obtains that private key file?

How important is it to keep the private key private?

I understand that if you use an unencrypted private key (with no passphrase) that it's very important to protect the key, because anyone who gets the key has access to all systems with the correstponding public key...

But what if you used a passphrase on your private key... and then your private key was leaked on the internet... is it really a concern?

I'm just not really sure how things work... if the passphrase decrypts the key and then the decryption is sent to the server as the private key, then if they guess the passphrase wrong it would be an unsuccessful login attempt at the server, and the server would stop talking to them after a few attempts as long as your using something like "fail2ban".

So, if you can throw unlimited passphrases at a private key, and try to brute force hack it, so what... cause you never know if you successfully decrypted it without using it to login to the server, which only allows a few attempts.

Now, if on the other hand, the private key can be brute force hacked, and it be known that the passphrase was entered successfully without any connection to the server, then yes, the security of the private key is extremely important.

Anyone know which of these two ways the passphrase on the private key works?
 
Old 12-29-2008, 10:41 AM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
The passphrase unlocks the private key on the client. It isn't sent to the server. As a matter of fact, you can unlock it once with ssh-agent and log into different servers while in the same bash session.

Code:
eval $(ssh-agent)
ssh-add
So it is important that a long passphrase be used. That shouldn't be a problem, because you can use a nonsensical sentence which is very long. Passphrases like "Obama Ate my MATH homework In 1965" are easy to remember but difficult to crack because they are very long.

Read through the sshd_config, ssh_config and ssh manpages. You can use "AllowUsers" to only allow certain usernames. You can include the IP address or hostname in a field of the public key in the authorized_keys file.

---

This isn't about ssh, but an easy demonstration on why strong passwords are important and precautions like using salt for hashes are used.

Take a dictionary word and calculate the md5sum hash.
Code:
$ echo -n 'banana' | md5sum
72b302bf297a228a75730123efef7c41 *-
Next enter the hash into Google Search:
Google Hash: md5(banana) = 72b302bf297a228a75730123efef7c41

Last edited by jschiwal; 12-29-2008 at 10:48 AM.
 
Old 12-29-2008, 07:32 PM   #3
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,230

Rep: Reputation: 1071Reputation: 1071Reputation: 1071Reputation: 1071Reputation: 1071Reputation: 1071Reputation: 1071Reputation: 1071
First, let me review what a "public/private key pair" is, and what it is for. Then, I'll touch on "passphrases."

A public/private key is used in asymmetric cryptography. Each key works in only one "direction" ... if you use one of the two keys to encrypt a message, only the other can be used to decrypt it. The public key is derived from the private key, and this process cannot be reversed. (Well, not by anyone you or I will ever know... unless your night-job is being a "spook." )

If someone steals your private key, then yes, they can impersonate you and do everything else that "you" can do.

If your private key is secure, however, then you can use it to issue messages that only a holder of the public key can decrypt. (This effectively proves to them that you must have sent it.) Likewise, anyone holding the public key can send you a message that only you can decrypt.

Le probleme, of course, is "how do you protect your keys?" One way is to use a passphrase. This applies a symmetric encryption to the content of the key: only someone who knows the passphrase can determine the content of the key and therefore use it.

A passphrase is functionally "like a password, only stronger." You have to know the passphrase and you have to be in physical possession of a key. It's like an ATM which requires you both to "know the PIN" and to be in physical possession of a card. (You can replicate an ATM-card by duplicating the magnetic stripe, but it is impractical to forge one... and the PIN is not recognizably encoded on the stripe.)

"Stealing a laptop at the airport" is always a problem that must be dealt with. The first line of defense is to use a passphrase on all keys: this makes it unlikely that a thief will actually be able to use any of the keys. The second line of defense is to issue individual keys. In this way, compromised keys can be revoked ... shutting down the access that they confer, while affecting no one else.
 
Old 01-24-2009, 04:36 AM   #4
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
^^ what they said, and in addition, get use to using keepassx. Use random passwords for everything and let keepassx store them for you for easy retrieval and use. Protect keepassx database with "Obama Ate my MATH homework In 1965" but everything else, including the passphrase for your ssh private keys with 64 character random goodness.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH Public/Private Key Fail. Help Please! hawk__0 Linux - Networking 9 11-07-2008 03:36 PM
Interesting question about Private/Public Key dmor Linux - Security 9 08-27-2008 02:49 PM
Public key, private key explained calande Linux - Security 3 06-12-2008 05:23 AM
need help with SSH private/public key taduser Linux - Security 2 04-02-2007 07:07 PM
RSA public key encryption/private key decription koningshoed Linux - Security 1 08-08-2002 07:25 AM


All times are GMT -5. The time now is 08:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration