SSH Client Security: Digital Key Security
Here’s another major security issue: digital key creation and expiration. Do you or does the customer create the digital key pair? Should all private keys have a passphrase? If so, what’s the minimum length? Remember this: Private keys can be copied and then cracked offline.
Passphrases that have too few (or too easily guessed) alphanumeric characters (including blanks) won’t last long. Changing the password on one private key doesn’t change it on all other copies—each copy is legit. My point? If Johnny B. Hacker gets a copy of the private keys and cracks the passphrase on each, he can then use those cracked keys to access the accounts, so long as the public keys are placed in the authorized_keys file. Changing the passphrase on the "official" private key doesn’t create a ripple effect that changes the passphrase on all other copies.
How will you associate any given key pair with any specific user? You know, to try to gauge how many key pairs need rebuilding after a hack?
Most digital credentials are replaced after a certain time period, based on the premise that these credentials will be cracked after some time in the field. How long will yours last? I remember well one configuration I studied. The script was set up by a contractor, had root access, and the credentials had not been updated in more than six years of use.
How will you track your digital keys and know the time in the field for any given key pair? Imagine that someone has just hacked three UNIX machines. How do you determine the public-key distribution of the current users’ keys? You must replace them all, right? That, or risk leaving back doors on other systems. And there is no central revocation list that you can reference. These digital keys seem to be a real headache, don’t they? You must understand how digital credentials work and how to hack ’em before you can use them widely.