From owner-freebsd-questions@FreeBSD.ORG Wed Sep 17 06:18:47 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 82E46B4A for ; Wed, 17 Sep 2014 06:18:47 +0000 (UTC) Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 41346B8B for ; Wed, 17 Sep 2014 06:18:47 +0000 (UTC) Received: by mail-ig0-f177.google.com with SMTP id h15so688864igd.10 for ; Tue, 16 Sep 2014 23:18:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=sFQ1qkcG6S348Gx7ygsp6OXrvzw+h6VNusTX0Abhpfs=; b=Y1nLApDoPWLpF6MNIIYohU0EdOijaaOk4QauwfaKCT27HPg7M5mOAynvL0jJDf9x3o XA3NFqtajsXwTO+HtNKT5qpHnytNzzGfvLAnZ2rC1RjjvmdB3nwFQfbLz0QtUi9K//RW N4lIt14S2AgAqGGNgRfX9KNDpIobziH+hC0nirLOD0dQGB6r+CycxwMa/CJZSvNZMkKt GJiVMu8Lwzk3RmVglRMEISzuin22qBNCL4GeZoTkBa3xv4mATwh0+d9qFizB5cTO6O7G e+XkgGj9jKUwym8WK8xOngTICNn7c8GZQll+p9G07pubm6mIlLDvTlWOMMwI62r6LL4v vmLg== MIME-Version: 1.0 X-Received: by 10.43.138.1 with SMTP id iq1mr3375243icc.11.1410934726317; Tue, 16 Sep 2014 23:18:46 -0700 (PDT) Sender: olivier2553@gmail.com Received: by 10.107.156.143 with HTTP; Tue, 16 Sep 2014 23:18:46 -0700 (PDT) In-Reply-To: References: <08D7B04D-CBBF-4330-BAD6-2668F9560964@mac.com> Date: Wed, 17 Sep 2014 13:18:46 +0700 X-Google-Sender-Auth: KVt8P1EPkka76Km3Z9Dnh0c9OAc Message-ID: Subject: Re: comparing SSH key and passphrase auth vs. an SSH key *with* a passphrase ... From: Olivier Nicole To: Daniel Staal Content-Type: text/plain; charset=UTF-8 Cc: John Case , "freebsd-questions@freebsd.org" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2014 06:18:47 -0000 Hi, On Wed, Sep 17, 2014 at 11:00 AM, Daniel Staal wrote: > --As of September 15, 2014 7:09:46 PM +0000, John Case is alleged to have > said: > >>> Key based auth is definitely the better choice out of those two. >> >> >> >> Ok, agreed. >> >> However, just out of curiousity - let's pretend that sshd *did* allow you >> to use both an SSH key and a UNIX password at the same time ... would >> that be more or less secure than using an SSH key with a built-in >> passphrase ? > > > --As for the rest, it is mine. > > Lots of variables there: How does sshd store the password? (Does it use the > system's user password? How are you storing that?) Can you *require* using > a password with a SSH key? How does the SSH key store the password? etc. > > On a basic level, at that point you need both something you have (the SSH > key) and something you know (the password). The two pieces are the same in > both cases, so the security comes down to implementations - and since one > isn't implemented, we can't compare implementations. ;) Chuck mentioned > that the storage for passwords with private keys isn't super great, so if it > used the system's user password that should be better - because there's been > a lot of work on storing those securely. Is the password for the private key actually stored in the key? That sounds odd to me. I'd better see the password being used to encode/decode the private key, so no need for storage of the password, if you provide the wrong password, you decode the private key into something that is not working, done. Best regards, olivier > > BTW: Since a couple of people have pointed to Google's two-factor system, I > thought I'd point to my current favorite: Yubikey[1]. There's a PAM module, > so it can be set up moderately easily. (I'll admit I haven't tried: I > mostly rely on physical security for my main network...) > > Daniel T. Staal > > [1]: > > --------------------------------------------------------------- > This email copyright the author. Unless otherwise noted, you > are expressly allowed to retransmit, quote, or otherwise use > the contents for non-commercial purposes. This copyright will > expire 5 years after the author's death, or in 30 years, > whichever is longer, unless such a period is in excess of > local copyright law. > --------------------------------------------------------------- > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"