Damian Brasher wrote:
> Nick Chalk wrote:
>> http://www.theregister.co.uk/2008/08/27/ssh_key_attacks_warning/
>>
>> Speculation that this attack is targetting weak
>> keys.
>
> Thanks Nick - I'm now looking at ssh-agent to use as an additional layer
> of security in my day job as well as development.
>
> Damian
Doubly glad I've regenerated every single key used on all my machines,
whether generated by PuTTY Keygen or the OpenSSH keygen utility, as well
as the security updates and full scans for vulnerable keys. I've also
taken the term 'passphrase' to heart and use a full sentence length one
- although I've not actually seen any stats that compare the short
password that looks like an ancient Egyptian hieroglyph (Hi Nick ;))
with a longer phrase (which almost by definition of length can't be as
complex as it would take half an hour to type in since there would be
zero chance of remembering it!).
One thing that puzzles me is the attitude seen in the comments to that
article that this is a Debian (and derivative) only issue. Do those that
consider 'I run Red Hat so I don't have a problem' [1] not think it
worth checking that none of their user accounts are using keys generated
on a Debian based system, and therefore make their non-Debian system
vulnerable?
[1] Only an example, I'm not picking on Red Hat users :)
--
Paul Tansom | Aptanet Ltd. |
http://www.aptanet.com/ | 023 9238 0001
======================================================================
Registered in England | Company No: 4905028 | Registered Office:
Crawford House, Hambledon Road, Denmead, Waterlooville, Hants, PO7 6NU
begin:vcard
fn:Paul Tansom
n:Tansom;Paul
org:Aptanet
adr:Widley;;39 The Thicket;Waterlooville;Hants.;PO7 5JL;England
email;internet:paul@???
tel;work:023 92380001
tel;cell:07799 662434
x-mozilla-html:FALSE
url:
http://www.aptanet.com/
version:2.1
end:vcard
