From owner-freebsd-questions@FreeBSD.ORG Wed Sep 17 06:26:00 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 33965E98 for ; Wed, 17 Sep 2014 06:26:00 +0000 (UTC) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "ca.infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D0085C72 for ; Wed, 17 Sep 2014 06:25:59 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.2.117.99]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.9/8.14.9) with ESMTP id s8H6PkQT033581 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 17 Sep 2014 07:25:47 +0100 (BST) (envelope-from matthew@FreeBSD.org) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org DKIM-Filter: OpenDKIM Filter v2.9.2 smtp.infracaninophile.co.uk s8H6PkQT033581 Authentication-Results: smtp.infracaninophile.co.uk/s8H6PkQT033581; dkim=none reason="no signature"; dkim-adsp=none; dkim-atps=neutral Message-ID: <54192961.6010906@FreeBSD.org> Date: Wed, 17 Sep 2014 07:25:37 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: John Case , freebsd-questions@freebsd.org Subject: Re: comparing SSH key and passphrase auth vs. an SSH key *with* a passphrase ... References: <08D7B04D-CBBF-4330-BAD6-2668F9560964@mac.com> In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Rr6DRR5veK6EfLB4koGIe3aR0ahQFjdAt" X-Virus-Scanned: clamav-milter 0.98.4 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2014 06:26:00 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Rr6DRR5veK6EfLB4koGIe3aR0ahQFjdAt Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 15/09/2014 20:09, John Case wrote: >> Key based auth is definitely the better choice out of those two. > However, just out of curiousity - let's pretend that sshd *did* allow > you to use both an SSH key and a UNIX password at the same time ... > would that be more or less secure than using an SSH key with a built-in= > passphrase ? That's just like sprinkling sugar on top of honey: it doesn't really achieve anything. You've got maybe 2048 bits of SSH key and you want to add of the order of a hundred bits of password on top of that? It would be better to just use a bigger SSH key. If you are so concerned about security and you need something more than what ssh-key based auth can provide, then look into one-time password style things -- which includes all sorts of hardware tokens -- or kerberos / gssapi setups -- which use cryptographic methods vaguely similar to SSH keys, but store the sensitive keying material in a way that makes it much less likely to be compromised. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --Rr6DRR5veK6EfLB4koGIe3aR0ahQFjdAt Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) iQJ8BAEBCgBmBQJUGSlpXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATi0IP/jnknssds7F96c3GZlHZBjFf r3T3XJDygi/QpkJYm7KLHgL45qMBTKyNxVJJb8DfbpGfCoQ53rx/TVBiUtmaBIok 9Ijt+PJZ+7QzzHgzPFSJ9tU4FzbtBtdFW31mxn435EZVAu8V+RpVdRWC2kvJK3Zq O9j/Ih/A/tnO4kXvK68K7GTxBgPUak2ZkL3YQWkTi+WU+ud70e6Oey8babQIA0BX km1JhbXBWCBEraLOBjUb+1K5DbdAIHMsDU/AdFak9qbJL+JBjIQXCNvx7sJIW7RH GubmvkuN7fE3n8Iqx6CNGlzwrzziAA5GSkmwp3aDcy/oqEXLdcajGdynW0wu3I/G zy5eoxYHsXQMHEkskyk0LH1pGjh8B8g+Cb9zL4mTn80wlGgUQ9dwEhz3TXl6uUHc 6Pu/rqk8TcTqg8vE+enBNlo/HoCIB1+oRBtBpqbGLBKTe/2kOg828V3VMPIlaoOU 5JYjOvstCYFCFhcsvc32ws5YG6EAT4Z0SwQL75fE25rgqLYu0t/9CPSJIusDb/ZZ Y8SqbkMz71aOqazh6bVt+OWg/M1WkCkO+AKkob6AUussdjZkqaWSwcOjfXLaG6/x WTAZ8ll62Quc5NSfC/t/es6FTIZ+186Ll7lduX1GqBHG+6D1LoTn4ntO+uSau3VA FvXtdVquqPkSDcLJNMWL =6ePo -----END PGP SIGNATURE----- --Rr6DRR5veK6EfLB4koGIe3aR0ahQFjdAt--