Re: [tlug] bootable linux with sshd

["Stephen J. Turnbull" <stephen@example.com>]

Curt Sampson writes:

 > However, this is not the attack you're defending against. Nobody's going
 > to guess that in your lifetime.

No human, true.  However, it's very likely to become bruteforceable in
your lifetime.

What's more important is how long the security need is, which is
probably max 5 years in this case.  Cracking DSA or even the older RSA
is not likely (subject to absence of a mathematical breakthrough) in
that period.

 > So, if they need an ssh key to log in (which they do if you've disabled
 > password logins), they need to steal it. Someone with access to your
 > hardware could probably do this without too much difficulty.

Sure, but they need to know where that key is valid.  Of course
known_hosts will provide some clues, and is just as easy to steal as
id_dsa.  The TV box may not even be there.

If you're worried about having the SSH key stolen from your hardware,
the solution is simple: keep it in an encrypted file, perhaps on
removable media.

 > Once they've got it, they're going to try to brute force the
 > passphrase, and if they are determined, they will likely succeed,
 > unless you're using a very, very good one, which you're probably
 > not.

Why do you think that?  Especially with agents (of course that's
another kettle of security risks), it's just not that burdensome to
use a decent passphrase.  My current most-typed passphrase satisfies
all of your constraints (and some you didn't mention, like mixing
languages and encodings to help hose dictionary attacks) at 41 total
characters.  I wouldn't be surprised if the majority of people who use
SSH consciously (as opposed to because that's the only way they can
log in to a work system) do almost as well without trying very hard.
Probably many do better; *I* didn't try very hard.

However, I find it much less annoying than the 8-character password
that I use for sudo on my Mac, because I only type it once or twice a
day.

 > On the other hand, the password they need to sudo cannot be gained by
 > copying it from your hardware (unless you've been a bit silly), so
 > that requires a completely different attack vector. Brute-forcing it
 > is practical, but probably not by using the system they want to attack
 > as an oracle, since even with a fairly weak password you'll notice the
 > attempts long before they guess that secret.

That depends on how the logs on the "target" box are set up.
Remember, that's a box he will only log into if there's trouble.  So
to really be useful as a warning of hacking attempts, he'll need a
system that communicates the logs to him.