Hacker News new | ask | show | jobs
by staticassertion 1945 days ago
A passphrase on your key is a great idea, but as soon as you unlock it once it's cached in memory. Since processes are not isolated within a user they're allowed to scrape the memory of other processes. If you check your running processes you're going to see that ssh-agent is running as your current user.

But a far more likely scenario is that the attacker will simply leverage existing sessions/ steal a socket, which, notably, will bypass any sort of 2FA on SSH connections.
2 comments
dotancohen 1945 days ago
Or store your keys in a different user. I personally use have the users dotancohen and dotancohens (trailing s for Secure) on my laptop. I simply su into dotancohens and then from there SSH into various servers. The /home/dotancohens/ directory has 0700 permissions.
link
jiveturkey 1944 days ago
How does this help you? If your dotancohen acct is compromised, I will just capture the password for dotancohens when you su to that account.
link
dotancohen 1942 days ago
Hmmm...

Maybe I should calling the su binary directly from /usr/bin/. Any thoughts on that? Or should I open a new VT?

link
chousuke 1945 days ago
On Linux, you can harden a bit against memory dumping by disabling ptrace. Set the "kernel.yama.ptrace_scope" sysctl to 3 and the easiest attack will no longer work, if you have processes that don't explicitly request disallowing ptrace.
link
staticassertion 1945 days ago
I actually don't believe that scraping memory is the easiest attack, I just mentioned it informationally. I strongly believe attackers are more likely to hijack sessions.

But yeah, ptrace is definitely something to watch out for. Monitoring ptrace is also something defenders can do if they're not in a position to disable it (if you're working for a software company your engineers will ptrace).

link
ikiris 1945 days ago
No, you should use short lived certificates, ideally locked inside hardware tokens and 2fa.

This is just snake oil that doesn't actually add protection.

link
chousuke 1945 days ago
But it does help; in most cases, it requires no effort whatsoever, in contrast to using something like SSH certificates which may not even be possible, depending on the environment.

There's no such thing as perfect security, but that doesn't mean you shouldn't lock your door.

link