The good thing about PKI is that it takes longer to break. The bad thing about PKI is many admins keep many private keys in the same spot. So you figure out one password, many doors are open. --Alex -----Original Message----- From: centos-bounces@xxxxxxxxxx [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of Stephen Harris Sent: Saturday, December 31, 2011 6:41 AM To: CentOS mailing list Subject: Re: what percent of time are there unpatched exploits against default config? On Sat, Dec 31, 2011 at 05:43:54AM -0800, Drew wrote: > The argument I saw against PKI is that's it's no more secure then > regular passwords because your certificates are password protected > anyways and stored on external media so they can be stolen and used to > access the system. Typical security is based around three things: 1. Something you know (eg password) 2. Something you have (eg physical token, USB key, ssh private key) 3. Something you are (eg fingerprint) Passwords are "1 factor"; it's just a password. RSA SecurID tokens are "2 factor"; you need the number on the token and the PIN. The more factors you have, typically the stronger the protection. (Assuming proper implementation, of course!) In the same way, public key authentication is 2 factor (in the SSH implementation, anyway) because you need the private key and the passphrase to the key. (historically, passphrases were longer than 8 character passwords but that's not so true on many systems, today) Why is this more secure? Because a gazillion people can brute force attack a box protected by passwords, however only people who have physical access to the token (#2) can attack my box. By stealing the token they've reduced my protection to single factor. BUT, and this is an important but, they _have to steal it first_. SSH keys are weaker than RSA tokens because an SSH key can be duplicated without the owners knowledge; if you steal my RSA key then I'll know! But you still need to duplicate it, and that makes it stronger than password auth. -- rgds Stephen _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos