Reply to post: @carl0s

The NetCAT is out of the bag: Intel chipset exploited to sniff SSH passwords as they're typed over the network

Peter Gathercole Silver badge

@carl0s

If you use password authentication with SSH (rather than keys), the password will pass, all-be-it encrypted, across the network.

Some organizations prefer this over public/private key pairs with passphrases, because it gives them some control over the frequency and strength of the password used, as it can be expired and checked at the time it is changed. If you use keys with passphrases, with bog-standard SSH, you cannot expire a passphrase, and I've not seen a passphrase strength checker in the SSH implementations I've seen.

You also have the problem if the private key leaks, even if you change the passphrase on the primary copy of the key, the stolen copies will still have the old passphrase associated with them.

I know you can (and should!) get round these weaknesses by using some form of network key repository with auto key regeneration (to allow keys to be aged), or at least using ssh-agent, or maybe even Kerberos (I've used Kerberos, but not the Kerberos support built into OpenSSH), but many organizations think that just implementing SSH is enough. I've never rocked the boat by suggesting anything better, but then again, I've not been in early enough for most of the projects I've been working on to get it accepted early enough.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019