search

kryptco / kr

DEPRECATED A dev tool for SSH auth + Git commit/tag signing using a key stored in Krypton.
https://krypt.co/developers/
Other
1.59k stars 109 forks source link

Why modify ~/.ssh/config? #257

Open heywoodlh opened 5 years ago

heywoodlh commented 5 years ago

First off, I really love kr, it's an awesome tool. Thanks for all the time put into it and for making it open source.

Disclaimer: I have only been using Krypton for a few days. So relatively new to the tool.

So my issue is more of an inquiry about design choice rather than a technical issue. I'm curious, what is the point of modifying ~/.ssh/config instead of /etc/ssh/ssh_config?

I understand wanting to remove the need for sudo. But I'm thinking about the attack vector here. If an attacker tries to SSH into one of my machines their SSH config won't be modified to use Krypton. So Krypton is, in essence, useless unless SSH client config is modified to use it. Or if an attacker is already on my machine with access to my username, they can just remove the config changes added by Krypton. So without requiring a sudo password, Krypton isn't really protecting anything unless it is specified to in ~/.ssh/config. Which I can just comment out if I were an attacker. So really, the attack vector that Krypton is protecting is against a noob who doesn't know how to modify an SSH config file.

This is all according to how I understand it, so if I am misunderstanding anything please feel free to correct me if I am wrong.

As a workaround, I added the config changes into /etc/ssh/ssh_config to force all SSH sessions on my machines to attempt to use Krypton when possible. Which secures my SSH sessions globally on my machines.

Again, I want to know what the reasoning behind this is. And also, if there are any suggestions for hardening an installation with Krypton and forcing it to be an authentication method without relying on modifying a client-side SSH config file I would really appreciate it. Because at this point, I am using it basically to prevent noobs from SSH-ing into my stuff if I left a terminal emulator open and the SSH key unlocked in my keychain. Still good, but not super necessary if someone knows how to modify the necessary SSH config.

Thanks in advance for any time taken to respond to this. :)

agrinman commented 5 years ago

Hi! If the only key to authenticate to your server lives inside Krypton on your phone the client config doesn’t matter — it just exists to facilite communicating to your phone. An attacker, even one who has root access on your machine, must be able to talk to Krypton on your phone somehow in order to get access to your server. If you see this request and deny it, they won’t be able to login to the server.

heywoodlh commented 5 years ago

Ah, so it sounds like the issue in my case is that I have been using SSH keys set up on my machines prior to Krypton. So when I use those keys, they bypass Krypton, am I correct?

agrinman commented 5 years ago

If you have another non krypton public key added to your server and the corresponding private key is compromised, yes your server is vulnerable. The security of your server is as strong as the weakest link.