Re: SSH Question relating to Public and Private Keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Tue, 2008-04-15 at 17:56 +1200, Clint Dilks wrote:
> Hi People,
> 
> The Linux Environment I am responsible for is using ssh key pairs to 
> allow access to a number or accounts on a number Linux Servers.  I 
> currently have the opportunity to re-design some of this.  So I would 
> like to tap into peoples experiences to see what might be some good 
> changes to make.  Specifically I have a couple of questions
> 
> 1. Currently all of the key pairs we are using have empty passphrases is 
> it worth the effort of changing this and setting up ssh-agent compared 
> to what you gain in security by doing this ?

Keeping in mind what the other responders have said, you need to do at
least an informal risk analysis to determine whether it is worth the
effort. Without going into all the formalities of assessment, reduction,
acceptance, assignment, ...

How sensitive is the data and how critical are the functions that that
could be disrupted? What is the scope of exposure to intrusion from
outside the organization (LAN, firewalls, in place, etc.).

How effectively will the enhanced procedures be used? Will users
frequently try to bypass them because it is inconvenient etc.?

OT: does the political environment (e.g. management) support increased
security or does it view increased security as an inconvenient thing
they view as really unnecessary in their situation?

>From a purely technical POV, it is as the other responders have said.
Having *decent* pass phrases is certainly worthwhile.

> 
> 2. At this stage I am going to use RSA Keys of the default size, is this 
> generally the best approach?

Unless you are in an environment that is a desirable target for
espionage (corporate, military, ...) the default sizes are sufficient
IMO.

> 
> 
> Thanks for any thoughts, and have a nice day :)
> <snip sig stuff>

-- 
Bill

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux