[Beowulf] Re: "hobbyists"es

Leif Nixon nixon at nsc.liu.se
Wed Oct 22 23:42:48 PDT 2008

[reviving a really old thread - sorry]

"Perry E. Metzger" <perry at piermont.com> writes:

> "Robert G. Brown" <rgb at phy.duke.edu> writes:
>>> If they can't use public key auth, give 'em secure ids or something
>>> similar. Works fine or such purposes. Passwords are dead.
>> Yeah, Bill Gates (among others) said something like that back in 2004.
>> I confess to being deeply skeptical.  Really.  The SecureID solution has
>> been around for a long time at this point.  It was a PITA a decade ago.
>> It is a PITA now.  Expensive, too.
> It is neither. I use SecureIDs quite regularly and it isn't difficult
> at all -- you just look at the device and type in the digits. What's
> so hard about that? It isn't that expensive, either, but if you're
> minimizing cost there are cheaper competitors and various
> challenge-response devices, and even non-hardware solutions.

The tokens are pretty expensive, they break, they get lost, they go
out of clock sync, they run out of battery and need to be replaced.
The support costs are non-negligible.

[the rest of this post is a general comment, not necessarily directed
at Perry]

That said, there are interesting stuff like the YubiKey
(http://www.yubico.com/), which is a USB token pretending to be a
keyboard. Press a button on it, and it "types" a one-time password.

Downside: it uses symmetric crypto, which essentially means you have a
shared secret between the token and the auth server. This makes the
auth server a fat, juicy target, and if it ever is cracked, you need
to replace all your tokens.

There are also systems that send out one-time passwords via SMS to the
user's cellphone. Rather neat, but you do need to pay for those

Soft tokens, like file based client-side certs and private ssh keys,
are not necessarily a *huge* improvement over simple passwords. You do
become immune against the password-guessing attacks, but private keys
can be stolen. We see this happening. And when a private ssh key is
stolen, it is a major headache to find all authorized_keys files that
contain the corresponding public key.

Ssh keys *can* improve your security - encrypt the private key with a
good strong passphrase, make sure it never leaves your laptop, and
(carefully) use ssh-agent and agent forwarding for your authentication
needs. (And add your keys with "ssh-add -c".) However, in practice,
this tends to be too complicated for the average user.

For a reality check, run

  grep -L CRYPT /home/*/.ssh/id_{r,d}sa

to check how many users that have unencrypted private keys stored on
your system.

Leif Nixon                       -            Systems expert
National Supercomputer Centre    -      Linkoping University

More information about the Beowulf mailing list