Re: Security of ssh across a LAN, public key versus password

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi Chris,

> > > What do you mean by "keypair authentication"?
> > 
> > That's the authentication you use when you have ssh-keygen provide you
> > with a private key and a public key, and distribute the public key to all
> > the different authorized_keys files.
> 
> But he says not to use passphrases, I'm confused.

I'm not sure which "he" you mean here.

A possible confusion is that there are two ways the term passphrase can be used when it comes to OpenSSH:

* Passphrase authentication, where you log into a machine and the sshd on the other end challenges you to enter a passphrase, usually matching your remote account's password.
* Encrypting your private key with a passphrase, which is what happens when you enter a passphrase while using ssh-keygen or ssh-add.

When you enter a passphrase at the ssh-keygen or ssh-add prompt, this isn't authentication. It's encryption: the private key has been encrypted with a passphrase, and you enter the passphrase to unlock it, which needs to be done before the key can be used as part of keypair authentication.

This is different to *passphrase authentication*, in which you have not distributed your public key to authorized_keys files on the remote nodes, and instead expect the remote to challenge you.

To revisit some of what I touched on earlier, to make these distinctions clearer:

* Never use passphrase *authentication*, instead use keypairs, always.
* Do consider passphrase *encryption* of your private key, as one possible way of keeping it secure, in case of unauthorized physical access to the local storage.

Does that help?

~ Tim

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux