Monday, February 4, 2019

Security through obscurity is no security

So we have ssh client and some of our team member end of storing their passwords in the in the ssh client. Yes I know that its bad practice, but that's a separate discussion.
The interesting part is that the ssh client does not let you see the password once you have entered them. Of source its for "for security" reasons.

Few years after having entered these passwords, people leave, move to different projects and one is stuck with a ssh session that can be used for establishing the connection but can't change the password (since root ssh is not allowed and you can't do sudo because you don't have the password).

What the solution?
A ssh honeypot server.  http://3.91.206.83/
Change the IP of the session to this server and it will print the password back. If you can change the IP, redefine the host name in your local  hosts file to point to this IP.
Be aware that one your have retrieved your password through this, assume that it has been released to public. Change your password immediately.

The ssh client is trying to make the password secure by making it obscure. Newsflash! Its not secure. Its just making user's life difficult without adding any security.



No comments: