Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 17 Sep 2014 07:25:37 +0100
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        John Case <case@SDF.ORG>, freebsd-questions@freebsd.org
Subject:   Re: comparing SSH key and passphrase auth vs. an SSH key *with* a passphrase ...
Message-ID:  <54192961.6010906@FreeBSD.org>
In-Reply-To: <Pine.NEB.4.64.1409151907380.5595@faeroes.freeshell.org>
References:  <Pine.NEB.4.64.1409112200270.27915@faeroes.freeshell.org> <08D7B04D-CBBF-4330-BAD6-2668F9560964@mac.com> <Pine.NEB.4.64.1409151907380.5595@faeroes.freeshell.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--Rr6DRR5veK6EfLB4koGIe3aR0ahQFjdAt
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 15/09/2014 20:09, John Case wrote:
>> Key based auth is definitely the better choice out of those two.

> However, just out of curiousity - let's pretend that sshd *did* allow
> you to use both an SSH key and a UNIX password at the same time ...
> would that be more or less secure than using an SSH key with a built-in=

> passphrase ?

That's just like sprinkling sugar on top of honey: it doesn't really
achieve anything.  You've got maybe 2048 bits of SSH key and you want to
add of the order of a hundred bits of password on top of that?  It would
be better to just use a bigger SSH key.

If you are so concerned about security and you need something more than
what ssh-key based auth can provide, then look into one-time password
style things -- which includes all sorts of hardware tokens -- or
kerberos / gssapi setups -- which use cryptographic methods vaguely
similar to SSH keys, but store the sensitive keying material in a way
that makes it much less likely to be compromised.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey



--Rr6DRR5veK6EfLB4koGIe3aR0ahQFjdAt
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)

iQJ8BAEBCgBmBQJUGSlpXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC
QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATi0IP/jnknssds7F96c3GZlHZBjFf
r3T3XJDygi/QpkJYm7KLHgL45qMBTKyNxVJJb8DfbpGfCoQ53rx/TVBiUtmaBIok
9Ijt+PJZ+7QzzHgzPFSJ9tU4FzbtBtdFW31mxn435EZVAu8V+RpVdRWC2kvJK3Zq
O9j/Ih/A/tnO4kXvK68K7GTxBgPUak2ZkL3YQWkTi+WU+ud70e6Oey8babQIA0BX
km1JhbXBWCBEraLOBjUb+1K5DbdAIHMsDU/AdFak9qbJL+JBjIQXCNvx7sJIW7RH
GubmvkuN7fE3n8Iqx6CNGlzwrzziAA5GSkmwp3aDcy/oqEXLdcajGdynW0wu3I/G
zy5eoxYHsXQMHEkskyk0LH1pGjh8B8g+Cb9zL4mTn80wlGgUQ9dwEhz3TXl6uUHc
6Pu/rqk8TcTqg8vE+enBNlo/HoCIB1+oRBtBpqbGLBKTe/2kOg828V3VMPIlaoOU
5JYjOvstCYFCFhcsvc32ws5YG6EAT4Z0SwQL75fE25rgqLYu0t/9CPSJIusDb/ZZ
Y8SqbkMz71aOqazh6bVt+OWg/M1WkCkO+AKkob6AUussdjZkqaWSwcOjfXLaG6/x
WTAZ8ll62Quc5NSfC/t/es6FTIZ+186Ll7lduX1GqBHG+6D1LoTn4ntO+uSau3VA
FvXtdVquqPkSDcLJNMWL
=6ePo
-----END PGP SIGNATURE-----

--Rr6DRR5veK6EfLB4koGIe3aR0ahQFjdAt--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?54192961.6010906>