Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 15 Sep 2014 13:27:42 -0700
From:      Michael Sierchio <kudzu@tenebras.com>
Cc:        FreeBSD - <freebsd-questions@freebsd.org>
Subject:   Re: comparing SSH key and passphrase auth vs. an SSH key *with* a passphrase ...
Message-ID:  <CAHu1Y73WnuuP3B0thJpZA0fhOmqhCD8Xd3resO5nvVeGu-qUjQ@mail.gmail.com>
In-Reply-To: <C95AD5C3-85F5-406E-9FAF-88688C63A4F2@mac.com>
References:  <Pine.NEB.4.64.1409112200270.27915@faeroes.freeshell.org> <08D7B04D-CBBF-4330-BAD6-2668F9560964@mac.com> <Pine.NEB.4.64.1409151906110.5595@faeroes.freeshell.org> <C95AD5C3-85F5-406E-9FAF-88688C63A4F2@mac.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Mon, Sep 15, 2014 at 12:13 PM, Charles Swiger <cswiger@mac.com> wrote:

> On Sep 15, 2014, at 12:07 PM, John Case <case@SDF.ORG> wrote:

>> Ok, thanks - but SSH key+passphrase is still much better than just plain old password, yes ?
>
> Yes, it's better.  However, the default storage that SSH uses for private keys with a passphrase isn't as strong as it could be.

Agreed. Though there are different kinds of threats. Disabling
password auth means no brute force password attempt will work. If you
do as I do and store your encrypted SSH key on a secure (assume for
the moment that's true :-) USB vault, and add it to an ssh-agent on
the local host, and enable agent forwarding - we've come close to SSO
with reasonable security.

Newer versions of OpenSSH support pam-google-authenticator, which is a
very nice way of accomplishing multifactor authentication. I tend to
use this everywhere. Central management is left as an exercise for the
reader (pam_url on Linux is a possible starting point).

- M



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CAHu1Y73WnuuP3B0thJpZA0fhOmqhCD8Xd3resO5nvVeGu-qUjQ>