Newbie security question: How secure is SSH2 RSA?

Folks,


I am complete security novice so please excuse me if my question is a no brainer.


Currently my company production server is a fedora linux box with administrative access allowed from
4 fixed IP addresses. The 3 administrators all work from home and have access from their fixed IP
addresses via DSL.

One of the admin guys has moved DSL supplier, and now cannot get a fixed IP address.

We are considering moving the server authentication to SSH2 RSA and accessing it via the open source
secure shell client.
I have concerns that SSH2 RSA may not be as secure as fixed IP addresses, both in real terms, and in
the perceptions of our customers. Some of our customers are quite large organisations who take
security seriously.


How secure is SSH2 RSA? Is it as secure is having a fixed IP address? Any other considerations I
should think about?



TIA - Adam

Am Fri, 12 Sep 2008 10:20:44 +0100 schrieb Adam Lipscombe:
[color=blue]
> Currently my company production server is a fedora linux box with administrative access allowed from
> 4 fixed IP addresses. The 3 administrators all work from home and have access from their fixed IP
> addresses via DSL.
> We are considering moving the server authentication to SSH2 RSA and accessing it via the open source
> secure shell client.
> I have concerns that SSH2 RSA may not be as secure as fixed IP addresses, both in real terms, and in
> the perceptions of our customers. Some of our customers are quite large organisations who take
> security seriously.[/color]

Use IPSec.
[color=blue]
> How secure is SSH2 RSA?
>Is it as secure is having a fixed IP address?[/color]

On which scale?
[color=blue]
> Any other considerations I should think about?[/color]

IPSec

cheers

Thanks, I will acquaint myself with IPSec.

[color=blue]
> On which scale?[/color]

Well I suppose the scale is "perceived security level". What I am getting at is what would most
people feel to be the most secure? Would most people feel that SSH2 RSA is less secure than a fixed
IP address and, if so, is that justified?


Thanks - Adam


Burkhard Ott wrote:[color=blue]
> Am Fri, 12 Sep 2008 10:20:44 +0100 schrieb Adam Lipscombe:
>[color=green]
>> Currently my company production server is a fedora linux box with administrative access allowed from
>> 4 fixed IP addresses. The 3 administrators all work from home and have access from their fixed IP
>> addresses via DSL.
>> We are considering moving the server authentication to SSH2 RSA and accessing it via the open source
>> secure shell client.
>> I have concerns that SSH2 RSA may not be as secure as fixed IP addresses, both in real terms, and in
>> the perceptions of our customers. Some of our customers are quite large organisations who take
>> security seriously.[/color]
>
> Use IPSec.
>[color=green]
>> How secure is SSH2 RSA?
>> Is it as secure is having a fixed IP address?[/color]
>
> On which scale?
>[color=green]
>> Any other considerations I should think about?[/color]
>
> IPSec
>
> cheers[/color]

Am Fri, 12 Sep 2008 11:38:29 +0100 schrieb Adam Lipscombe:
[color=blue]
> Thanks, I will acquaint myself with IPSec.
>
>[color=green]
> > On which scale?[/color]
>
> Well I suppose the scale is "perceived security level". What I am getting at is what would most
> people feel to be the most secure? Would most people feel that SSH2 RSA is less secure than a fixed
> IP address and, if so, is that justified?[/color]


Adam, you're talking from 2 different things.
RSA is used for authentication, IP knows only about authentication in
IPSec. You can use rsa key's and filter for the IP or the block your
colleage come from, but you don't know is that your colleages computer or
not (dynamic ip switched). With IPSec you know already after phase1
who is it. (if he keeps the auth. data secure)

If you're interested read [url]http://www.schneier.com/paper-ipsec.pdf[/url].

It depends on you how you define security.

cheers

On Fri, 12 Sep 2008 10:20:44 +0100, Adam Lipscombe wrote:
[color=blue]
> Folks,
>
>
> I am complete security novice so please excuse me if my question is a no
> brainer.
>
>
> Currently my company production server is a fedora linux box with
> administrative access allowed from 4 fixed IP addresses. The 3
> administrators all work from home and have access from their fixed IP
> addresses via DSL.
>
> One of the admin guys has moved DSL supplier, and now cannot get a fixed
> IP address.
>
> We are considering moving the server authentication to SSH2 RSA and
> accessing it via the open source
> secure shell client.
> I have concerns that SSH2 RSA may not be as secure as fixed IP
> addresses, both in real terms, and in the perceptions of our customers.
> Some of our customers are quite large organisations who take security
> seriously.
>
>
> How secure is SSH2 RSA? Is it as secure is having a fixed IP address?
> Any other considerations I should think about?
>[/color]
Keep the fixed IP addresses, and put them into the /etc/hosts.allow file
for sshd access, or into iptables (for port 22). In the sshd config file
disable password authentication and use keys instead. In the sshd config
file use the AllowUsers option to specify which usernames (of your 4
users) are recognised. This way only the 4 IP addresses can access the
server, only a user with a known username can gain access and only if
they have the correct key. No passwords involved.



John.

On 12 Sep, 10:20, Adam Lipscombe <adam.lipsco...@qucs.co.uk> wrote:[color=blue]
> Folks,
>
> I am complete security novice so please excuse me if my question is a no brainer.
>
> Currently my company production server is a fedora linux box with administrative access allowed from
> 4 fixed IP addresses. The 3 administrators all work from home and have access from their fixed IP
> addresses via DSL.
>
> One of the admin guys has moved DSL supplier, and now cannot get a fixed IP address.
>
> We are considering moving the server authentication to SSH2 RSA and accessing it via the open source
> secure shell client.
> I have concerns that SSH2 RSA may not be as secure as fixed IP addresses, both in real terms, and in
> the perceptions of our customers. Some of our customers are quite large organisations who take
> security seriously.
>
> How secure is SSH2 RSA? Is it as secure is having a fixed IP address? Any other considerations I
> should think about?
>
> TIA - Adam[/color]

I'd say its a **lot** easier to spoof an IP address than to crack a
RSA key pair (but make sure its at least 2048 bits) but do make sure
you use key-pair authentication and not username/passwords (which are
susceptible to dictionary attacks).

C.

Am Fri, 12 Sep 2008 06:15:51 -0700 schrieb C.:
[color=blue]
> I'd say its a **lot** easier to spoof an IP address than to crack a
> RSA key pair (but make sure its at least 2048 bits) but do make sure
> you use key-pair authentication and not username/passwords (which are
> susceptible to dictionary attacks).
>
> C.[/color]

Can you remember on the debian bug some mounth ago?
I'd say in this special case it's been much easier to brute for the key :-).

cheers

Thanks for your suggestion - it certainly sounds comprehensive.

Does it handle the situation where one of the admin guys has a dynamic IP address?


Thanks - Adam

John Horne wrote:[color=blue]
> On Fri, 12 Sep 2008 10:20:44 +0100, Adam Lipscombe wrote:
>[color=green]
>> Folks,
>>
>>
>> I am complete security novice so please excuse me if my question is a no
>> brainer.
>>
>>
>> Currently my company production server is a fedora linux box with
>> administrative access allowed from 4 fixed IP addresses. The 3
>> administrators all work from home and have access from their fixed IP
>> addresses via DSL.
>>
>> One of the admin guys has moved DSL supplier, and now cannot get a fixed
>> IP address.
>>
>> We are considering moving the server authentication to SSH2 RSA and
>> accessing it via the open source
>> secure shell client.
>> I have concerns that SSH2 RSA may not be as secure as fixed IP
>> addresses, both in real terms, and in the perceptions of our customers.
>> Some of our customers are quite large organisations who take security
>> seriously.
>>
>>
>> How secure is SSH2 RSA? Is it as secure is having a fixed IP address?
>> Any other considerations I should think about?
>>[/color]
> Keep the fixed IP addresses, and put them into the /etc/hosts.allow file
> for sshd access, or into iptables (for port 22). In the sshd config file
> disable password authentication and use keys instead. In the sshd config
> file use the AllowUsers option to specify which usernames (of your 4
> users) are recognised. This way only the 4 IP addresses can access the
> server, only a user with a known username can gain access and only if
> they have the correct key. No passwords involved.
>
>
>
> John.[/color]

On Fri, 12 Sep 2008 15:45:23 +0100, Adam Lipscombe wrote:
[color=blue]
> Thanks for your suggestion - it certainly sounds comprehensive.
>
> Does it handle the situation where one of the admin guys has a dynamic
> IP address?
>[/color]
Not really. If the address falls within a known range of addresses,then
you may put the range in the hosts.allow file, but you are then, of
course, opening up the system a bit more. Having said that, any user
would still need the right username and the correct key.


John.

"C." <colin.mckinnon@gmail.com> writes:
[color=blue]
>On 12 Sep, 10:20, Adam Lipscombe <adam.lipsco...@qucs.co.uk> wrote:[color=green]
>> Folks,
>>
>> I am complete security novice so please excuse me if my question is a no brainer.
>>
>> Currently my company production server is a fedora linux box with administrative access allowed from
>> 4 fixed IP addresses. The 3 administrators all work from home and have access from their fixed IP
>> addresses via DSL.
>>
>> One of the admin guys has moved DSL supplier, and now cannot get a fixed IP address.
>>
>> We are considering moving the server authentication to SSH2 RSA and accessing it via the open source
>> secure shell client.
>> I have concerns that SSH2 RSA may not be as secure as fixed IP addresses, both in real terms, and in
>> the perceptions of our customers. Some of our customers are quite large organisations who take
>> security seriously.
>>
>> How secure is SSH2 RSA? Is it as secure is having a fixed IP address? Any other considerations I
>> should think about?
>>
>> TIA - Adam[/color][/color]
[color=blue]
>I'd say its a **lot** easier to spoof an IP address than to crack a
>RSA key pair (but make sure its at least 2048 bits) but do make sure
>you use key-pair authentication and not username/passwords (which are
>susceptible to dictionary attacks).[/color]

But-- if someone gets ahold of that public key, then they can log into that
machine as root with that public key. That is not good.

Ie, you should still restrict the IP address range.
One way of doing so would be to have his machine report his IP to your
machine when the IP address changes, and then put that into the hosts.allow
file. At the very least his address range should be in there.

AND they should also have to log in with their public key/password.
In this case I would probably advise password login if you believe that
they are responsible and keep their password secret.


[color=blue]
>C.[/color]

On Fri, 12 Sep 2008 18:47:08 +0000, Unruh wrote:
[color=blue]
> "C." <colin.mckinnon@gmail.com> writes:
>[color=green]
>>I'd say its a **lot** easier to spoof an IP address than to crack a RSA
>>key pair (but make sure its at least 2048 bits) but do make sure you use
>>key-pair authentication and not username/passwords (which are
>>susceptible to dictionary attacks).[/color]
>
> But-- if someone gets ahold of that public key, then they can log into
> that machine as root with that public key. That is not good.
>[/color]
Don't allow root to log in at all from any external address. Users would
have to login (via the key) and then use 'su' (with a password).



John.

Unruh wrote:
[color=blue]
>
> But-- if someone gets ahold of that public key, then they can log into that
> machine as root with that public key. That is not good.[/color]

Someone gets ahold of the public key is not a problem. That's why it's
called a *public* key. The problem is if someone gets ahold of the
matching private key and guesses the passphrase (and we all know that
nobody should ever store an unencrypted private key right?)

Is this server in question publicly accessible? If so put it behind a
firewall unless it's absolutely necessary to be in the DMZ.

Let the admins access the network via a vpn, log on to non-root accounts
on the server, and then su to root when they need it. This is a pretty
standard best practice.

On 12 Sep, 14:19, Burkhard Ott <n...@derith.de> wrote:[color=blue]
> Am Fri, 12 Sep 2008 06:15:51 -0700 schrieb C.:
>[color=green]
> > I'd say its a **lot** easier to spoof an IP address than to crack a
> > RSA key pair (but make sure its at least 2048 bits) but do make sure
> > you use key-pair authentication and not username/passwords (which are
> > susceptible to dictionary attacks).[/color]
>[color=green]
> > C.[/color]
>
> Can you remember on the debian bug some mounth ago?
> I'd say in this special case it's been much easier to brute for the key :-).
>
> cheers[/color]

The bug is fixed - its still possible to run a competing DHCP server,
carry out ICMP redirect on routers and MITM attacks. Not to mention
source-routing which seems to be an intrinsic part of IPV6

C.

Am Thu, 18 Sep 2008 04:03:07 -0700 schrieb C.:

[color=blue]
> The bug is fixed - its still possible to run a competing DHCP server,
> carry out ICMP redirect on routers and MITM attacks. Not to mention
> source-routing which seems to be an intrinsic part of IPV6
>
> C.[/color]

Why DHCP? Everybody can send redirects.