7

I have been astonished when I've found that one of the most popular SSH client Putty stores cleartext credentials in Windows Registry:

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\

Passwords, or even ssh-key paths are disclosed, making it easier not only for malware, but even a simple bat file to steal the credentials.

What is the safer approach to store credentials? I know that everything (encryption, etc...) can be reverse-engineered, but at least, makes the attempt a bit harder, thus, that might slightly mean a bit more security (compared to nothing).

I've switched to Kitty with portable mode (so, it only stores info in portable directory, and unless malware finds that folder directly, passwords seems a bit safer... But neither that turns out much secure, as malware can also scan HDD. But IMHO, still a bit "secure" compared to PUTTY, even if you have that directory on pluggable USB).

schroeder
  • 123,438
  • 55
  • 284
  • 319
T.Todua
  • 2,677
  • 4
  • 19
  • 28

2 Answers2

20

In the context of ssh, "credentials" can have two meanings.

Cleartext password

It is true, that registering cleartext password as cleartext, i.e. without any encryption or so, is at least a bad practice from a security view. However, encrypting them correctly is simply impossible: Putty somehow needs to access them on authenticating with the remote server. To do that, it would need to decrypt it. It does not matter, how would it be done, the same could be done also by a potential attacker. Encrypting the password would be security through obscurity, thus it would have not a very much security gain.

Although using same encryption, or using an improved ssh protocol which somehow circumvents it, would be obviously better, the difference is not so huge, as it seems on the first spot.

Public/private key pair

The public key can be sent to anywhere, the private should be kept secret. For private key, the case is the same in this context, as for the password: if someone can read out the private key, can also manipulate the Putty process to extract it for him.

The most important thing to know: to get the credentials, requires access to the client machine (either as an admin account, or account to the user). Having this access, even an encrypted password could be eavesdropped, for example by using a keylogger, or by binary hacking your Putty process.

It is an inherent security weakness of all password or key-based authentication system. The only solution for that, if the authentication happens on a different channel, by a different system, from which the connection was initiated. The are multiple solutions for this, multi-factor authentication or Kerberos. Most ssh software (including putty and the openssh server) supports the second, although it is rarely used in the daily practice.

The daily practice is to not allowing physical access to anybody to your client machine. If they have access, they can access much more than only your ssh keys/passwords.

About Kitty

The same stays for Kitty. It might not keep cleartext password or keys in the registry, but it still needs to get somehow access to your passwords/keys. Even if it store on a lesser public way, what Kitty does to decrypt/access them, also a malware can do (or a modified Kitty binary can do). Thus, Kitty increases the security of your system only a little bit. But it might give the false sense of security, what could be even dangerous.

peterh
  • 2,938
  • 6
  • 25
  • 31
  • 2
    Encrypting the cleartext password is not security through obscurity. Keyring implementations in Linux, MacOS, and most importantly in password managers do encrypt the plaintext passwords. The issue isn't that encrypting them is security through obscurity, but rather encrypting the password means that you need another password to unlock the keyring. For the purpose of password managers/keyrings, that's fine; but the main reason people saved their password in putty is so that they don't have to enter any passwords, so that rules out being able to encrypt that password with another password. – Lie Ryan Oct 14 '19 at 11:21
  • @LieRyan The question suggests to give more protection to the Putty password, but on a way, that all the information to decrypt the password, is available on the system, only its decryption method is more sophisticated. It is imho clearly security though obscurity. Maybe I misinterpreted the question, this is not clearly stated in it, but I believe I have not. – peterh Oct 14 '19 at 12:09
2

Whatever encryption method you use to hide your credentials (be it a private key, password or something else) on your machine, the software needs them in cleartext at some point of time in order to do it's job. Encrypting a private key with a password is reasonable, but encrypting a password with a password is pointless - you still will have to enter a password so you can as well not save the original password in the first place.

If your computer is not secure enough to save a certain password, it is generally not secure enough to enter the password at all. Someone having a file access to your computer can install a keylogger for you as well.

fraxinus
  • 3,425
  • 5
  • 20