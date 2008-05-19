from the any-bright-ideas? dept.
Honey pots and canaries are used increasingly now. They, especially the latter, can trigger an alarm once particular segments of an infrastructure are breached or under specific types of attack. However, dedicated honey pots are complex systems and require a lot of set up, maintenance, and monitoring to be of any use and not just liabilities. One way out might be to just scatter some fake SSH keys about the infrastructure and tie them to alarms. The question remains how useful they would be in practice.
The thought behind honey keys is similar to Honeywords, a concept published a while ago to help identify attempts to use data collected in breaches to gain unauthorized access to a user account. In our case, the attacker attempts to authenticate with the honey key, the action is logged (or another action chosen by the defender) and an alarm is sounded for use of the key.
Fortunately, the authorized_keys format permits an rarely[sic] used options field that aids greatly in this attempt.