another security question

Brad Cox brad at
Mon Mar 11 11:39:51 PST 2002

On Sun, Mar 10, 2002 at 01:58:33PM -0800, augie wrote:
> Solution B:
> same laptop setup as Solution A, but this time instead of forwarding port 30 
> just run sshd on the gateway, and again only accept RSA key authentication.
> then from the gateway ssh into the internal machine, again using key 
> authentication.

My machines are setup like this, except I let password auth in as well
(like Frank said: secure passwords, and keep up to date).  The only
way (that I can think of at this moment) someone can get in with
password auth is give your system your password, so if you watch your
logs, you'll see the brute force attack that they would need in order
to guess your password.  Don't use your crypto password in a plain
text environment (or on computers you don't trust), think up a plain
text password (or two).

> i have reservations about both methods.
> in Solution B i am concerned about keeping private keys on a public machine.

The only machine(s) that should have your private key is a workstation
that you trust, like perhaps your laptop and the workstation on the
inside of the firewall.  All the other machines just have the public
key, so that you can get into them, but they can't get into you.  Any
machine that is running an ssh-agent for you can have your key in
memory, but not on disk, by running ssh-add from a machine that does
have your private key (you are trusting this machine, but only until
you logout or run ssh-add -D).

Brad Cox		brad at
Key fingerprint = E741 589E 4A43 DA89 C5AA  B9A3 7E44 18BB C16B F62D
Which is worse: ignorance or apathy?  Who knows?  Who cares?

More information about the talk mailing list