From owner-freebsd-questions@FreeBSD.ORG Wed Sep 17 04:09:41 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9C4974B9 for ; Wed, 17 Sep 2014 04:09:41 +0000 (UTC) Received: from mail.magehandbook.com (173-8-4-45-WashingtonDC.hfc.comcastbusiness.net [173.8.4.45]) by mx1.freebsd.org (Postfix) with ESMTP id 72163D28 for ; Wed, 17 Sep 2014 04:09:40 +0000 (UTC) Received: from [192.168.1.50] (Mac-Pro.magehandbook.com [192.168.1.50]) by mail.magehandbook.com (Postfix) with ESMTP id 3hySJm4s8jz10W; Wed, 17 Sep 2014 00:00:40 -0400 (EDT) Date: Wed, 17 Sep 2014 00:00:38 -0400 From: Daniel Staal To: John Case , freebsd-questions@freebsd.org Subject: Re: comparing SSH key and passphrase auth vs. an SSH key *with* a passphrase ... Message-ID: In-Reply-To: References: <08D7B04D-CBBF-4330-BAD6-2668F9560964@mac.com> X-Mailer: Mulberry/4.0.8 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2014 04:09:41 -0000 --As of September 15, 2014 7:09:46 PM +0000, John Case is alleged to have said: >> Key based auth is definitely the better choice out of those two. > > > Ok, agreed. > > However, just out of curiousity - let's pretend that sshd *did* allow you > to use both an SSH key and a UNIX password at the same time ... would > that be more or less secure than using an SSH key with a built-in > passphrase ? --As for the rest, it is mine. Lots of variables there: How does sshd store the password? (Does it use the system's user password? How are you storing that?) Can you *require* using a password with a SSH key? How does the SSH key store the password? etc. On a basic level, at that point you need both something you have (the SSH key) and something you know (the password). The two pieces are the same in both cases, so the security comes down to implementations - and since one isn't implemented, we can't compare implementations. ;) Chuck mentioned that the storage for passwords with private keys isn't super great, so if it used the system's user password that should be better - because there's been a lot of work on storing those securely. BTW: Since a couple of people have pointed to Google's two-factor system, I thought I'd point to my current favorite: Yubikey[1]. There's a PAM module, so it can be set up moderately easily. (I'll admit I haven't tried: I mostly rely on physical security for my main network...) Daniel T. Staal [1]: --------------------------------------------------------------- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. ---------------------------------------------------------------