I recently met with a customer that is using username and password instead of keys to control SSH access. For the past several months I’ve been so engrossed with solving SSH key management issues that I was somewhat taken aback by the approach. Upon further discussions with some experts on the subject, I’ve come to understand just how dangerous that is. Here is what I’ve discovered:
SSH Keys are the gold standard for SSH access. SSH Keys are long and complex, far more than any username and password could be. Keys can be created for different sets of users, different levels of access, and no secret value is ever sent to the server and as such, SSH Keys are not prone to Man in the Middle Attacks. In fact, modern SSH keys can use an extremely high level of encryption eliminating the possibility of brute force attacks. SSH Key’s definitely have their own security challenges, but there are solutions to eliminate those risks.
On the other hand, passwords are subject to the human element – forgotten passwords, password reuse, simple passwords that are easily guessed, or they are susceptible to brute force attacks. Passwords are transmitted to the server and are also susceptible to Man in the Middle Attacks.
Okay, after hearing all of this I asked what turned out to be a very naive question – How likely is it that someone could crack an SSH password? The response was – It can be child’s play, just Google it. I did, and I experienced the same reaction that the Sheriff in the movie Jaws did from looking at clippings of previous shark attacks – quick, everyone get out of the water!
If your company is taking this approach to managing SSH access, then I strongly advise you to make it a top priority to change right away. I didn’t come to this conclusion without first doing the research. Having read the articles, watched the videos, investigated the software programs, and spoken to experts on the topic that I can confidently conclude that relying on username and passwords alone to control SSH access is extremely risky and a very dangerous proposition. At a minimum, it would be very wise to assume that all username and passwords are compromised and further restrict access through multi-factor authentication (MFA). I’m a fan of SecureAuth, but many identity and access management vendors provide that capability. One thing to remember is that enforcement is key, you can’t simply use MFA for the jumphost (that won’t solve the problem), MFA has to be applied to all servers. If this is going on unabated in your company, we should talk about devising a more secure and comprehensive approach to ssh security.
May the brute force NOT be with you…