On November 17th FreeBSD.org released an announcement that two of its servers that are used to package third-party software with its popular operating system had been compromised. This incident was detected by the FreeBSD team on November 11 2012. While the administrators of the site could not verify if any of the third-party packages had been modified, they are recommending that anyone who downloaded and installed any of their third-party packages between September 19 2012 and November 11 2012 reinstall their systems. Obviously this could be a big burden for a lot of organizations who utilize FreeBSD.
While I commend FreeBSD for the quick action they took in reporting the incident and communicating with their customers (and the community at large), I am interested in exploring the root cause of the intrusion. According to the announcement the intrusion occurred as a result of a stolen SSH key that was used by one of the developers to access their servers. For that to be true, it would also have to be true that no passphrase was installed on the private key. Assigning a passphrase to the private key would have preventing this intrusion from occurring, because the attackers would have needed the passphrase in addition to the key itself. It is similar to the need for a PIN when using an ATM or debit card. The PIN provides protection in the event that the card is lost or stolen.
Many people who regularly login to systems via SSH prefer to use the public key authentication feature of SSH so that they don't have to type in their credentials when they login. I have known many people who also argue that public key authentication is more secure than standard authentication. I have long been leery of this claim and this incident shows why. Unless a passphrase is used along with the key, then the server is at risk of compromise if the key is stolen. And adding a passphrase obviates the benefit of not having to type in credentials when using SSH to remotely login to a server. That being the case, it seems to me that the standard authentication is the better choice. No chance of having a key stolen this way.
There are situations when it is necessary to use SSH public key authentication without the use of a passphrase. Typically one does this when it is necessary for a script running on one server to login to another to perform some action (backups are a common example). In this case it is better to use SSH key authentication than to embed credentials in a script. However, it is necessary to ensure that the server that stores the private keys is highly secure. When developers and system admins use SSH key authentication, they usually install the private key on their own workstations, which in my experience, are usually the least secure systems in any organization. The FreeBSD intrusion is a perfect illustration of the dangers of relying on SSH public key authentication to bypass typing in credentials. No one likes typing in usernames and passwords, but unfortunately, this is an necessary precaution to keep your systems secure.
This article was cross posted from InfosecStuff.com.