privatekey security - SSH

This is a discussion on privatekey security - SSH ; Hi, Is there anyway to make a private key only work from a single specified PC? I would like to provide my users to connect a linux box via ssh that is authenticated through public and private keys. The private ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: privatekey security

  1. privatekey security

    Hi,

    Is there anyway to make a private key only work from a single specified
    PC?
    I would like to provide my users to connect a linux box via ssh that is
    authenticated through public and private keys. The private key has a
    passphrase on it. But let's say some hacker finds this passphrase,
    makes a copy of the private key and connects from his PC to the server.

    Is there anyway to prevent this or am I dreaming here.

    Thanx.


  2. Re: privatekey security

    On 2006-03-10, Yet another coder wrote:
    > Is there anyway to make a private key only work from a single specified
    > PC?
    > I would like to provide my users to connect a linux box via ssh [...]


    Assuming you're using OpenSSH since that's what ships with most Linuxes:
    not quite. You can use "from=" key restrictions to allow it to be used
    from only one IP address (or range of addresses) but that's not quite
    the same thing.

    Key restrictions are document in sshd(8).

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  3. Re: privatekey security

    Yet another coder wrote:
    > Hi,
    >
    > Is there anyway to make a private key only work from a single specified
    > PC?
    > I would like to provide my users to connect a linux box via ssh that is
    > authenticated through public and private keys. The private key has a
    > passphrase on it. But let's say some hacker finds this passphrase,
    > makes a copy of the private key and connects from his PC to the server.
    >
    > Is there anyway to prevent this or am I dreaming here.
    >
    > Thanx.
    >


    You won't gain any security from doing this. If someone has stolen a
    passphrase and private key, it's a trivial thing to steal the IP address
    as well and spoof it.

  4. Re: privatekey security

    >>>>> "Chuck" == Chuck writes:

    Chuck> You won't gain any security from doing this. If someone has
    Chuck> stolen a passphrase and private key, it's a trivial thing to
    Chuck> steal the IP address as well and spoof it.

    I disagree. It's trivial if the attacker is on the same subnet. If not,
    he would have to subvert router(s) along the way, which is a big enough
    difference that security is certainly enhanced.

    This applies to TCP. UDP services you can spoof from anywhere, so an
    attacker might to try to subvert the DNS -- but SSH has server
    authentication, so this won't succeed unless the user ignores the
    warnings.

    I don't generally think it's worth it, though, if you have to change the
    address all the time.

    --
    Richard Silverman
    res@qoxp.net


+ Reply to Thread