Newbie security question: How secure is SSH2 RSA? - SSH

This is a discussion on Newbie security question: How secure is SSH2 RSA? - SSH ; Folks, I am complete security novice so please excuse me if my question is a no brainer. Currently my company production server is a fedora linux box with administrative access allowed from 4 fixed IP addresses. The 3 administrators all ...

+ Reply to Thread
Results 1 to 14 of 14

Thread: Newbie security question: How secure is SSH2 RSA?

  1. Newbie security question: How secure is SSH2 RSA?

    Folks,


    I am complete security novice so please excuse me if my question is a no brainer.


    Currently my company production server is a fedora linux box with administrative access allowed from
    4 fixed IP addresses. The 3 administrators all work from home and have access from their fixed IP
    addresses via DSL.

    One of the admin guys has moved DSL supplier, and now cannot get a fixed IP address.

    We are considering moving the server authentication to SSH2 RSA and accessing it via the open source
    secure shell client.
    I have concerns that SSH2 RSA may not be as secure as fixed IP addresses, both in real terms, and in
    the perceptions of our customers. Some of our customers are quite large organisations who take
    security seriously.


    How secure is SSH2 RSA? Is it as secure is having a fixed IP address? Any other considerations I
    should think about?



    TIA - Adam

  2. Re: Newbie security question: How secure is SSH2 RSA?

    Am Fri, 12 Sep 2008 10:20:44 +0100 schrieb Adam Lipscombe:

    > Currently my company production server is a fedora linux box with administrative access allowed from
    > 4 fixed IP addresses. The 3 administrators all work from home and have access from their fixed IP
    > addresses via DSL.
    > We are considering moving the server authentication to SSH2 RSA and accessing it via the open source
    > secure shell client.
    > I have concerns that SSH2 RSA may not be as secure as fixed IP addresses, both in real terms, and in
    > the perceptions of our customers. Some of our customers are quite large organisations who take
    > security seriously.


    Use IPSec.

    > How secure is SSH2 RSA?
    >Is it as secure is having a fixed IP address?


    On which scale?

    > Any other considerations I should think about?


    IPSec

    cheers

  3. Re: Newbie security question: How secure is SSH2 RSA?

    Thanks, I will acquaint myself with IPSec.


    > On which scale?


    Well I suppose the scale is "perceived security level". What I am getting at is what would most
    people feel to be the most secure? Would most people feel that SSH2 RSA is less secure than a fixed
    IP address and, if so, is that justified?


    Thanks - Adam


    Burkhard Ott wrote:
    > Am Fri, 12 Sep 2008 10:20:44 +0100 schrieb Adam Lipscombe:
    >
    >> Currently my company production server is a fedora linux box with administrative access allowed from
    >> 4 fixed IP addresses. The 3 administrators all work from home and have access from their fixed IP
    >> addresses via DSL.
    >> We are considering moving the server authentication to SSH2 RSA and accessing it via the open source
    >> secure shell client.
    >> I have concerns that SSH2 RSA may not be as secure as fixed IP addresses, both in real terms, and in
    >> the perceptions of our customers. Some of our customers are quite large organisations who take
    >> security seriously.

    >
    > Use IPSec.
    >
    >> How secure is SSH2 RSA?
    >> Is it as secure is having a fixed IP address?

    >
    > On which scale?
    >
    >> Any other considerations I should think about?

    >
    > IPSec
    >
    > cheers


  4. Re: Newbie security question: How secure is SSH2 RSA?

    Am Fri, 12 Sep 2008 11:38:29 +0100 schrieb Adam Lipscombe:

    > Thanks, I will acquaint myself with IPSec.
    >
    >
    > > On which scale?

    >
    > Well I suppose the scale is "perceived security level". What I am getting at is what would most
    > people feel to be the most secure? Would most people feel that SSH2 RSA is less secure than a fixed
    > IP address and, if so, is that justified?



    Adam, you're talking from 2 different things.
    RSA is used for authentication, IP knows only about authentication in
    IPSec. You can use rsa key's and filter for the IP or the block your
    colleage come from, but you don't know is that your colleages computer or
    not (dynamic ip switched). With IPSec you know already after phase1
    who is it. (if he keeps the auth. data secure)

    If you're interested read http://www.schneier.com/paper-ipsec.pdf.

    It depends on you how you define security.

    cheers

  5. Re: Newbie security question: How secure is SSH2 RSA?

    On Fri, 12 Sep 2008 10:20:44 +0100, Adam Lipscombe wrote:

    > Folks,
    >
    >
    > I am complete security novice so please excuse me if my question is a no
    > brainer.
    >
    >
    > Currently my company production server is a fedora linux box with
    > administrative access allowed from 4 fixed IP addresses. The 3
    > administrators all work from home and have access from their fixed IP
    > addresses via DSL.
    >
    > One of the admin guys has moved DSL supplier, and now cannot get a fixed
    > IP address.
    >
    > We are considering moving the server authentication to SSH2 RSA and
    > accessing it via the open source
    > secure shell client.
    > I have concerns that SSH2 RSA may not be as secure as fixed IP
    > addresses, both in real terms, and in the perceptions of our customers.
    > Some of our customers are quite large organisations who take security
    > seriously.
    >
    >
    > How secure is SSH2 RSA? Is it as secure is having a fixed IP address?
    > Any other considerations I should think about?
    >

    Keep the fixed IP addresses, and put them into the /etc/hosts.allow file
    for sshd access, or into iptables (for port 22). In the sshd config file
    disable password authentication and use keys instead. In the sshd config
    file use the AllowUsers option to specify which usernames (of your 4
    users) are recognised. This way only the 4 IP addresses can access the
    server, only a user with a known username can gain access and only if
    they have the correct key. No passwords involved.



    John.

  6. Re: Newbie security question: How secure is SSH2 RSA?

    On 12 Sep, 10:20, Adam Lipscombe wrote:
    > Folks,
    >
    > I am complete security novice so please excuse me if my question is a no brainer.
    >
    > Currently my company production server is a fedora linux box with administrative access allowed from
    > 4 fixed IP addresses. The 3 administrators all work from home and have access from their fixed IP
    > addresses via DSL.
    >
    > One of the admin guys has moved DSL supplier, and now cannot get a fixed IP address.
    >
    > We are considering moving the server authentication to SSH2 RSA and accessing it via the open source
    > secure shell client.
    > I have concerns that SSH2 RSA may not be as secure as fixed IP addresses, both in real terms, and in
    > the perceptions of our customers. Some of our customers are quite large organisations who take
    > security seriously.
    >
    > How secure is SSH2 RSA? Is it as secure is having a fixed IP address? Any other considerations I
    > should think about?
    >
    > TIA - Adam


    I'd say its a **lot** easier to spoof an IP address than to crack a
    RSA key pair (but make sure its at least 2048 bits) but do make sure
    you use key-pair authentication and not username/passwords (which are
    susceptible to dictionary attacks).

    C.

  7. Re: Newbie security question: How secure is SSH2 RSA?

    Am Fri, 12 Sep 2008 06:15:51 -0700 schrieb C.:

    > I'd say its a **lot** easier to spoof an IP address than to crack a
    > RSA key pair (but make sure its at least 2048 bits) but do make sure
    > you use key-pair authentication and not username/passwords (which are
    > susceptible to dictionary attacks).
    >
    > C.


    Can you remember on the debian bug some mounth ago?
    I'd say in this special case it's been much easier to brute for the key :-).

    cheers

  8. Re: Newbie security question: How secure is SSH2 RSA?

    Thanks for your suggestion - it certainly sounds comprehensive.

    Does it handle the situation where one of the admin guys has a dynamic IP address?


    Thanks - Adam

    John Horne wrote:
    > On Fri, 12 Sep 2008 10:20:44 +0100, Adam Lipscombe wrote:
    >
    >> Folks,
    >>
    >>
    >> I am complete security novice so please excuse me if my question is a no
    >> brainer.
    >>
    >>
    >> Currently my company production server is a fedora linux box with
    >> administrative access allowed from 4 fixed IP addresses. The 3
    >> administrators all work from home and have access from their fixed IP
    >> addresses via DSL.
    >>
    >> One of the admin guys has moved DSL supplier, and now cannot get a fixed
    >> IP address.
    >>
    >> We are considering moving the server authentication to SSH2 RSA and
    >> accessing it via the open source
    >> secure shell client.
    >> I have concerns that SSH2 RSA may not be as secure as fixed IP
    >> addresses, both in real terms, and in the perceptions of our customers.
    >> Some of our customers are quite large organisations who take security
    >> seriously.
    >>
    >>
    >> How secure is SSH2 RSA? Is it as secure is having a fixed IP address?
    >> Any other considerations I should think about?
    >>

    > Keep the fixed IP addresses, and put them into the /etc/hosts.allow file
    > for sshd access, or into iptables (for port 22). In the sshd config file
    > disable password authentication and use keys instead. In the sshd config
    > file use the AllowUsers option to specify which usernames (of your 4
    > users) are recognised. This way only the 4 IP addresses can access the
    > server, only a user with a known username can gain access and only if
    > they have the correct key. No passwords involved.
    >
    >
    >
    > John.


  9. Re: Newbie security question: How secure is SSH2 RSA?

    On Fri, 12 Sep 2008 15:45:23 +0100, Adam Lipscombe wrote:

    > Thanks for your suggestion - it certainly sounds comprehensive.
    >
    > Does it handle the situation where one of the admin guys has a dynamic
    > IP address?
    >

    Not really. If the address falls within a known range of addresses,then
    you may put the range in the hosts.allow file, but you are then, of
    course, opening up the system a bit more. Having said that, any user
    would still need the right username and the correct key.


    John.


  10. Re: Newbie security question: How secure is SSH2 RSA?

    "C." writes:

    >On 12 Sep, 10:20, Adam Lipscombe wrote:
    >> Folks,
    >>
    >> I am complete security novice so please excuse me if my question is a no brainer.
    >>
    >> Currently my company production server is a fedora linux box with administrative access allowed from
    >> 4 fixed IP addresses. The 3 administrators all work from home and have access from their fixed IP
    >> addresses via DSL.
    >>
    >> One of the admin guys has moved DSL supplier, and now cannot get a fixed IP address.
    >>
    >> We are considering moving the server authentication to SSH2 RSA and accessing it via the open source
    >> secure shell client.
    >> I have concerns that SSH2 RSA may not be as secure as fixed IP addresses, both in real terms, and in
    >> the perceptions of our customers. Some of our customers are quite large organisations who take
    >> security seriously.
    >>
    >> How secure is SSH2 RSA? Is it as secure is having a fixed IP address? Any other considerations I
    >> should think about?
    >>
    >> TIA - Adam


    >I'd say its a **lot** easier to spoof an IP address than to crack a
    >RSA key pair (but make sure its at least 2048 bits) but do make sure
    >you use key-pair authentication and not username/passwords (which are
    >susceptible to dictionary attacks).


    But-- if someone gets ahold of that public key, then they can log into that
    machine as root with that public key. That is not good.

    Ie, you should still restrict the IP address range.
    One way of doing so would be to have his machine report his IP to your
    machine when the IP address changes, and then put that into the hosts.allow
    file. At the very least his address range should be in there.

    AND they should also have to log in with their public key/password.
    In this case I would probably advise password login if you believe that
    they are responsible and keep their password secret.



    >C.


  11. Re: Newbie security question: How secure is SSH2 RSA?

    On Fri, 12 Sep 2008 18:47:08 +0000, Unruh wrote:

    > "C." writes:
    >
    >>I'd say its a **lot** easier to spoof an IP address than to crack a RSA
    >>key pair (but make sure its at least 2048 bits) but do make sure you use
    >>key-pair authentication and not username/passwords (which are
    >>susceptible to dictionary attacks).

    >
    > But-- if someone gets ahold of that public key, then they can log into
    > that machine as root with that public key. That is not good.
    >

    Don't allow root to log in at all from any external address. Users would
    have to login (via the key) and then use 'su' (with a password).



    John.



  12. Re: Newbie security question: How secure is SSH2 RSA?

    Unruh wrote:

    >
    > But-- if someone gets ahold of that public key, then they can log into that
    > machine as root with that public key. That is not good.


    Someone gets ahold of the public key is not a problem. That's why it's
    called a *public* key. The problem is if someone gets ahold of the
    matching private key and guesses the passphrase (and we all know that
    nobody should ever store an unencrypted private key right?)

    Is this server in question publicly accessible? If so put it behind a
    firewall unless it's absolutely necessary to be in the DMZ.

    Let the admins access the network via a vpn, log on to non-root accounts
    on the server, and then su to root when they need it. This is a pretty
    standard best practice.

  13. Re: Newbie security question: How secure is SSH2 RSA?

    On 12 Sep, 14:19, Burkhard Ott wrote:
    > Am Fri, 12 Sep 2008 06:15:51 -0700 schrieb C.:
    >
    > > I'd say its a **lot** easier to spoof an IP address than to crack a
    > > RSA key pair (but make sure its at least 2048 bits) but do make sure
    > > you use key-pair authentication and not username/passwords (which are
    > > susceptible to dictionary attacks).

    >
    > > C.

    >
    > Can you remember on the debian bug some mounth ago?
    > I'd say in this special case it's been much easier to brute for the key :-).
    >
    > cheers


    The bug is fixed - its still possible to run a competing DHCP server,
    carry out ICMP redirect on routers and MITM attacks. Not to mention
    source-routing which seems to be an intrinsic part of IPV6

    C.

  14. Re: Newbie security question: How secure is SSH2 RSA?

    Am Thu, 18 Sep 2008 04:03:07 -0700 schrieb C.:


    > The bug is fixed - its still possible to run a competing DHCP server,
    > carry out ICMP redirect on routers and MITM attacks. Not to mention
    > source-routing which seems to be an intrinsic part of IPV6
    >
    > C.


    Why DHCP? Everybody can send redirects.

+ Reply to Thread