On 22/10/24 04:26, Chris Green wrote:
It's also **much** more dificult to keep all those keys etc. well organised. What has brought me to this question is the mixed collection of RSA and ed25519 keys all over lots of systems getting very difficult to keep under control, and thus error prone (=insecure). If I went back to all passwords life would be so much easier!
Life for me actually became a lot easier when I bought myself an OpenPGP-enabled security token and learned to use the SSH agent support built into GnuPG.
If I take the token with me when I go out, someone who breaks in does not have access to my private key, because it's not stored on the computer.
If I forget to take the token with me, they get 3 guesses at correctly entering the passphrase to unlock it before the device locks itself. The only real vulnerability is if I leave it plugged-in and unlocked, but then the moment they unplug the device or power off the host it's plugged into: game over.
-- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev