Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security IT

Keep SSH Sessions Active, Or Reconnect? 307

Posted by timothy
from the lock-your-door-or-carry-your-lunch dept.
borjonx writes "Is it safer to log out of an SSH session, and re-establish it later, or just keep the connection open? Like many of you, I use OpenSSH to connect to my Slackware Linux boxes remotely from Linux and WinXP (putty.exe) clients. At home and at work, I wonder if it would be safer to just leave the connection open (my clients are physically secured, the servers limit connections with hosts.allow). Is it more secure to re-establish the connection over an insecure link (big bad internet) where people can sniff that handshaking, or is it more secure to just remain connected? I connect 1 to 4 times per day, most days."
This discussion has been archived. No new comments can be posted.

Keep SSH Sessions Active, Or Reconnect?

Comments Filter:
  • screen (Score:3, Informative)

    by Singularity42 (1658297) * on Thursday February 04, 2010 @06:25PM (#31028568)

    Just use the program, "screen", if you want to resume your sessions.

    • Re:screen (Score:5, Informative)

      by flydpnkrtn (114575) on Thursday February 04, 2010 @06:29PM (#31028616)

      Just use the program, "screen", if you want to resume your sessions.

      That's not what he's asking though... "Is it more secure to re-establish the connection over an insecure link (big bad internet) where people can sniff that handshaking, or is it more secure to just remain connected?"

      With a tinfoil hat on, he's asking if it's OK for the OpenSSH handshake to be happening 1-4 times per day across the big bad interwebs (traffic that could potentially be sniffed). He's not asking how to maintain sessions even if ssh itself is disconnected (which is what screen gives you)

  • Wat (Score:5, Informative)

    by sakdoctor (1087155) on Thursday February 04, 2010 @06:27PM (#31028584) Homepage

    What gives you the impression that the key-exchange in SSH is vulnerable?
    The short answer is: Whatever.

    http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange [wikipedia.org]

    • Re:Wat (Score:5, Informative)

      by xZgf6xHx2uhoAj9D (1160707) on Thursday February 04, 2010 @06:45PM (#31028818)
      More to the point (since basic Diffie-Hellman is vulnerable to man-in-the-middle attacks), if you already have the "fingerprint" stored for your home machine, that really can't be faked, so you're safe. If you're not storing the "fingerprint" (why not?) then, well, why would anyone do that?
    • Re: (Score:3, Interesting)

      The short answer is: Whatever.

      It's a little more nuanced than that. To the extent that a long term session is more predictable than a short term session (or vice versa), it may matter. See Timing Analysis of Keystrokes and Timing Attacks on SSH [berkeley.edu].

    • Re:Wat (Score:5, Informative)

      by hunteke (1172571) on Thursday February 04, 2010 @06:58PM (#31028970)

      What gives you the impression that the key-exchange in SSH is vulnerable?

      Answer: The key-exchange is not vulnerable. However, there is an issue the first time you connect to one host from the other. That initial message that most people ignore is a possible MITM (Man in the Middle) avenue a cracker could harness.

      Example message:

      The authenticity of host 'ssh.example.com (123.234.123.234)' can't be established.
      RSA key fingerprint is 96:21:c3:32:3d:cc:18:d5:53:6a:d4:0d:0d:73:c6:1a.
      Are you sure you want to continue connecting (yes/no)?

      While giving the password to the remote server for authentication may be secure, unless you've verified that fingerprint, you don't know to whom you're talking. That is, when you connect the first time, and you blindly accept that fingerprint, if it's a cracker, you are literally typing your password to the rogue machine (that would then turn around and log in "as you" to the real machine).

      Ideally, you would to verify that fingerprint with a version you get through alternate, presumably secure, means. E.g. an over-the-phone conversation with an administrator, or physically accessing the work system and writing it down, or (temporarily) connecting directly to the server with a cross-over cable.

      • Re: (Score:3, Informative)

        by palegray.net (1195047)
        Precisely. On a Linode [linode.com] Linux VPS, for example, this can be accomplished via the console using the following command:

        ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
      • However... (Score:5, Insightful)

        by Junta (36770) on Thursday February 04, 2010 @08:26PM (#31029800)

        That has no bearing on comparing logout/login vs. staying logged in. Yes, the very very first handshake can be bad (there are methods to mitigate, but that's beyond the scope of this discussion), but once you establish that trust, logging out does not break it.

      • Re: (Score:3, Funny)

        by tobiasly (524456)

        Ideally, you would to verify that fingerprint with a version you get through alternate, presumably secure, means. E.g. an over-the-phone conversation with an administrator

        So what if this administrator you're having such a secure conversation with has someone holding a gun to his head! Guess you're not so secure now, huh?

      • Re: (Score:3, Informative)

        by jroysdon (201893)

        The solution to the first-time key exchange is SSHFP + DNSSEC [roysdon.net].

    • Well at least I agree with you. As long as you're using OpenSSH in the default configuration (though I always enable the VisualHostKey option when it's available), you'll be fine.
  • by pthisis (27352) on Thursday February 04, 2010 @06:29PM (#31028624) Homepage Journal

    Is it safer to log out of an SSH session, and re-establish it later, or just keep the connection open?

    Breaking the crypto is almost assuredly not the weakest point in your connection. I'd stay connected, since by far the biggest danger is user errors: you accidentally connecting to the wrong serves, ignoring a cert change alert or something else boneheaded.

    Assuming you're not using SSH1, the client and server should periodically regenerate session keys, so it's not like you'll be encrypting vast sessions with just one key (not that this is likely to be the biggest point of failure in your system even without re-keying).

    • by massysett (910130) on Thursday February 04, 2010 @07:02PM (#31029000) Homepage

      Breaking the crypto is almost assuredly not the weakest point in your connection. I'd stay connected,

      You're right about the crypto not being a concern, but I think the bigger danger is that he gets up to go to the bathroom or printer or something and he forgets to lock the client machine. Cert change alerts are hard to ignore, at least with OpenSSH. Logout.

    • by fm6 (162816) on Thursday February 04, 2010 @07:11PM (#31029082) Homepage Journal

      I'd stay connected, since by far the biggest danger is user errors: you accidentally connecting to the wrong serves, ignoring a cert change alert or something else boneheaded.

      User error isn't merely the biggest danger. If you count social engineering exploits and sloppy procedures as "user error" than user error accounts for almost all exploits. Mathematical exploits are few and far between — "breaking the code" is something that pretty much happens only in bad spy movies.

      (And yes, I know how Blechley Park "broke" Enigma. Except Enigma was never broken. Sloppy procedures by Axis radio operators made the code less secure than it should have been. As it was, they needed brilliant mathematics, early computers, and a lot of luck to even read a small portion of Enigma traffic.)

      But why is connecting to the wrong machine a security breach? Because you're sending your password to somebody that shouldn't have it? Passwords themselves are poor security — nobody can remember all the passwords they need to use, and the usual methods of recording them (like the post-it attached to the monitor) are horribly insecure. If you're paranoid enough to use SSH, you should be using SSH's public key authentication.

      • Re: (Score:3, Insightful)

        by dissy (172727)

        If you count social engineering exploits and sloppy procedures as "user error" than user error accounts for almost all exploits. Mathematical exploits are few and far between -- "breaking the code" is something that pretty much happens only in bad spy movies.

        Buffer overflow? Underflow? Stack smashing?

        None of those exploit vectors require even 'user interaction' let alone could be called 'user error'

        I would have to venture a guess that, while probably not anywhere close to the share true user error has, such attack vectors still do have some share none the less.

    • With most SSH implementations, you can't ignore a cert change alert. It's more of a fatal error, at least with every SSH client I've ever used.

      When I reinstall a machine (or regenerate a cert due to, say, a stupid upstream bug), it spits out a big nasty error and will not continue until I remove the offending key from known_hosts.

  • by Kjella (173770)

    ....if one can be broken, probably the other one too. The chance that the frequency of which you connect matters is <0.001% in my opinion. Either it's secure or it isn't, and either way slashdot won't be able to answer that.

  • Neither (Score:4, Informative)

    by nacturation (646836) * <`moc.liamg' `ta' `noitarutcan'> on Thursday February 04, 2010 @06:30PM (#31028632) Journal

    Both the persistent connection and the handshake protocol to establish a new connection are completely secure for any practical purpose. If both the server and the client are completely secure, and the connection between them is secure (via strong crypto in ssh) then pick whichever method works best for you.

  • Catch 22 (Score:3, Interesting)

    by SnoopJeDi (859765) <snoopjedi AT gmail DOT com> on Thursday February 04, 2010 @06:31PM (#31028656)
    If it's an "insecure link" (which is the whole reason SSH was developed ANYWAY), then ANY connection is technically compromised. You can't just assume one that was established "sometime before" is more secure than a new one now. If you carry your assumptions through consistently, they're both compromised and you should just disconnect.
    • I don't think that's the case. I'm pretty sure you can transport the host machine fingerprint to the client, and the public key to the server, and have it impossible to crack the connection without breaking the crypto.

      IANACE (crypto expert) but I think the only avenue for MITM is on the *first* connection to the host, where you need to trust that the link is secure enough to not modify the fingerprint. If you don't need to trust that... I think you're safe.

  • Are they using the interwebs to hack the mainframe, or crack the mainframe? You need to consider if they are after your Datasheets or your Hard-Diskette. Theres so many factors to consider. Perhaps they just want to plant a worm that will grow into a virus which will grow into a trojan, if you don't stop it in its Larval stages. You can use cyber worms and cyber Larva in some advanced Phishing techniques, so don't waste them if you come across them. I suppose the only way to be sure 100% secure is to encry
  • by Rantastic (583764) on Thursday February 04, 2010 @06:35PM (#31028696) Journal

    It is good that you are concerned about security. It is bad that you are asking Slashdot for security advice.

    If I told you that it is far more secure to leave your connection open all day, would you take my word for it?

    Do some research on the subject. Learn what terms like IND-CPA, IND-CCA, and IND-CCA2 mean and how to evaluate this situation for yourself. In terms of security, blindly following someone's advice is the less secure choice.

    • Re: (Score:3, Insightful)

      by drinkypoo (153816)

      If I told you that it is far more secure to leave your connection open all day, would you take my word for it?

      He didn't ask you, he asked Slashdot. If everyone reputable tells him the same thing, he can probably believe it. If he had time to become a security expert, he probably would have. There are of course no certainties in life, but generally speaking, you can trust the experts most of the time. Amusingly enough, many of the experts seem to have plenty of time to read Slashdot, and even post occasionally :)

  • by gmuslera (3436) on Thursday February 04, 2010 @06:44PM (#31028804) Homepage Journal
    If you assume that the remote server is safe, and the communication is safe, then the risk could be at your own box.
    Forgetting to set even a screensaver with password in a place where are more people (i.e. kids, or in an office ) or even not people (dont think a cat could hit rm -rf, but is your server, not mine) could make a difference in that question. Could be also an hypotetical risk of some rogue app/trojan (?) sending events to the window that have the ssh session too, but odds are somewhat low.
  • Key Fingerprint (Score:5, Informative)

    by phantomcircuit (938963) on Thursday February 04, 2010 @06:46PM (#31028832) Homepage

    the only thing that is important is that you verify the public key fingerprint presented by your server to prevent MITM attacks. Aside from that there is absolutely no reason to believe the ssh protocol itself has been broken.

  • by Medievalist (16032) on Thursday February 04, 2010 @06:53PM (#31028910)

    "Is it safer to log out of an SSH session, and re-establish it later, or just keep the connection open?

    It's safer to log out and re-establish. UNLESS you are subverting host key verification - just clicking past the big warning sign that OpenSSH throws up when it sees an unknown host key - in which case you certainly can get MITM'd. Keep copies of your public (not private!) host keys on a thumb drive for use the first time you connect from an outside box.

    Like many of you, I use OpenSSH to connect to my Slackware Linux boxes remotely from Linux and WinXP (putty.exe) clients. At home and at work, I wonder if it would be safer to just leave the connection open (my clients are physically secured, the servers limit connections with hosts.allow). Is it more secure to re-establish the connection over an insecure link (big bad internet) where people can sniff that handshaking, or is it more secure to just remain connected? I connect 1 to 4 times per day, most days."

    I believe the "handshake" is a diffie-hellman key exchange. It can't be sniffed and cracked in realtime. On the other claw, I suppose it's theoretically possible that if you leave the connection open long enough, a determined attacker with titanic resources can brute your session key. In reality, I personally don't think that will ever happen to you, it'd be cheaper for anyone with those kind of resources to use the $5 wrench upside your head method. [xkcd.com]

    Here's something to consider: If your computer is turned off, it's not being hacked. If your computer is turned off, it's not getting a virus. If your computer is turned off, nobody is sniffing your packets. If your computer is turned off, lightning isn't blowing through the ground line of your UPS like a knife through butter and turning your motherboard into a campfire. If your computer is turned off, a jealous colleague is not sneaking into your office and using it without leaving a login record. If your computer is turned off, it's not part of a botnet. If your computer is turned off, it is immune to zero-day exploits that are absolutely unstoppable by any other means.

    The most secure computer is turned off. Any time you don't need your computer to be turned on, just turn it off. If everyone did this, we'd save millions of dollars (and hopefully, cut off some funding to energy suppliers who hate us).

    • Re: (Score:2, Informative)

      by gregben (844056)

      If your computer is turned off, lightning isn't blowing through the ground line of your UPS like a knife through butter and turning your motherboard into a campfire.

      No. The easy, safe, way to protect against lightning strikes is to turn off and unplug the computer so there is no conductive path into it.

      • by JustNiz (692889)

        I also bury my computer in the yard after every time I'm done using it, so that its safe from nukular war.

    • You can just click through that? There's an easier way than going into .ssh/known_keys and deleting the offending line?

      I thought it was like that to force you to think about why the host you're connecting with might be presenting you with a new key...

  • In your situation (Score:4, Insightful)

    by mindstrm (20013) on Thursday February 04, 2010 @07:19PM (#31029144)

    Reconnect. Leaving the sessions constantly open means if your workstation is compromised, you may have compromised the servers as well.... at least you've increased the risk profile of the servers.

    Connect as needed - use proper key management and passwords, etc.

  • Boring... (Score:3, Funny)

    by brundlefly (189430) on Thursday February 04, 2010 @07:23PM (#31029178)

    This is exactly the sort of question that Stack Overflow was created for....

  • by dweller_below (136040) on Thursday February 04, 2010 @07:31PM (#31029244)

    I do IT Security for a university. One of my projects is to do some rudimentary traffic analysis of our SSH sessions.

    I look for the negotiation between SSH server and client and log connections. Since the negotiation is port independent, I can log the start of SSH sessions, no matter what port they are on. This allows me to:

    1) Notice if important systems have sprung a new SSH backdoor.
    2) Notice if important systems are SSH'ing out to weird places.
    3) Check with local sys-admins and say things like: 'Looks like the Chinese have found your supersecret SSH port. Again. You have proved that TCP/222 and TCP/2222 are not good choices. Maybe this time you want to borrow my HexDice?'

    Anywho, my rudimentary traffic analysis can be defeated if you change the SSH negotiation. It can be hindered if you just leave the connections running for days at a time.

    So, if you want to annoy people like me, you may want to leave the connections up.

    Miles

  • by Lemming Mark (849014) on Thursday February 04, 2010 @07:36PM (#31029298) Homepage

    Like many of you, I use OpenSSH to connect to my Slackware Linux boxes remotely

    If many of us are connecting to your Slackware boxes, reconnecting is not your largest vulnerability!

    (sorry, couldn't resist)

  • Unless you lock your desktop every single time you get up and walk away from your desk, it's better to generally disconnect, because you lessen the (admittedly very small odds) that someone else will simply walk up to your workstation, and either out of malice, curiosity or just mistake (they think you are logged in someplace it's ok for them to poke around), they end up accessing your remote session.

    It may also look suspicious to sysadmins that you keep sessions alive for so long.

    Is it possible for a Windo

    • by gparent (1242548)

      Is it possible for a Windows admin to poke around your desktop, remotely, without your knowledge? I believe they normally have to make a request that you accept before you hand over control of your desktop to a Windows admin, but I don't know if Windows (or other corporate monitoring software) allows this to happen without your knowledge.

      Remote desktop takes control of the session, so you're locked out, they don't access your session. Now obviously some monitoring software out there is going to have a "stealth" mode, but that has nothing to do with Windows, it could happen on any OS.

      • I didn't really mean remote desktop; I meant more "session sharing", though my point is not the standard session sharing someone will request if you're asking an admin for Windows help.

        Yes, a stealth program installed by your employer could happen on any OS. My point is not that this is a Windows problem, but that such software has more opportunity to observe what you've been doing remotely if you leave sessions open all the time.

  • If you log in typing in a password, it might be easier for somebody to get your password by looking over your shoulder, installing a camera in your premises or use a keyboard sniffer. In the case of password authentication, every time you log in is a weak point.

     

  • by wvmarle (1070040) on Thursday February 04, 2010 @10:58PM (#31030798)

    Come on people what is this? Tagging such a story where someone asks about some security where some obscure attack may be possible and then tagging it "you aren't that important"?!

    This is the same messageboard that wants https for everything, even for this board.

    This is the same board that seems to hold privacy above all.

    And on top of it, it is full of nerds that tend to love to go into this kind of obscure detail.

    And then tag it "you aren't that important" implying "what are you worried about", or with a little further stretch "you have nothing to hide, so don't bother". This is quite ridiculous.

    To me I am the most important person in the world, and I would like to live safe and secure. The poster is likely the most important person to himself, and he also wishes to live safe and secure. I wouldn't go as far as poster does, but that's besides the point. He does want to go this far, and has a genuine question that many may consider over the top for personal security but which may have consequences for entities that are under constant attack, where any minute attack vector may mean the difference between safe and 0wned.

    "youarentthatimportant" is the worst tag I have ever seen. It's denigrating at best. It's stupid, and shows lack of respect for other people. I may hope this was intended as a joke and a joke alone.

  • More info? (Score:3, Insightful)

    by Wovel (964431) on Friday February 05, 2010 @01:53AM (#31031992) Homepage

    How could anyone really answer your question without knowing the value of the servers you are logged into? If the servers you are connecting to are in a secured bunker and you are leaving the connection open from your house while your not there and the data is something valuable enough for some to break into your house.. Well then no, you should not leave the session logged in. In general it is a bad idea to leave a connection you are not using logged in. If you are locking your workstation (you did not say), than maybe it is still ok.

    Keep strict host key checking on and just log out when you are not using the box. If the key changes and your not expecting it, either someone has already broken into your server, your DNS server (on either end), or it is time to talk to the isps on the endpoints and find out which one is out to get you. The "big bad" Internet is the least likely place for you to have a security problem, it is simply too unpredictable.

  • by 1s44c (552956) on Friday February 05, 2010 @02:47AM (#31032174)

    I use OpenSSH to connect to my Slackware Linux boxes remotely from Linux and WinXP (putty.exe) clients.

    You are fixing a non-problem. You should be fixing the weakest point of attack first, that being the windows machine you are connecting from.

"Free markets select for winning solutions." -- Eric S. Raymond

Working...