Date: Thu, 11 Sep 2014 15:58:38 -0700 From: Charles Swiger <cswiger@mac.com> To: John Case <case@SDF.ORG> Cc: FreeBSD - <freebsd-questions@freebsd.org> Subject: Re: comparing SSH key and passphrase auth vs. an SSH key *with* a passphrase ... Message-ID: <08D7B04D-CBBF-4330-BAD6-2668F9560964@mac.com> In-Reply-To: <Pine.NEB.4.64.1409112200270.27915@faeroes.freeshell.org> References: <Pine.NEB.4.64.1409112200270.27915@faeroes.freeshell.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, John-- On Sep 11, 2014, at 3:04 PM, John Case <case@SDF.ORG> wrote: > I've always used SSH with simply a password. This has always worked fine for me. > > Lately, I've been thinking that I might like to increase my security by using *both* a UNIX password and an SSH key. That is, I can't log in unless I have my password and my key. However, it doesn't look like SSH supports this - either you do unix password OR you do SSH key, it doesn't look like there is any way to do both. True. SSH lists a set of alternatives like: debug1: Authentications that can continue: publickey,keyboard-interactive ...and each one is a separate valid method to login. > However, what I could do is only use an SSH key, but set a passphrase on that key. The only difference here is that my safety is all bound up in SSH, whereas before it was distributed between SSH and the OS. > > So I'm curious... > > What's the difference between using a UNIX password combined with an SSH key (if that actually worked, which it doesn't) and using an SSH key with a passphrase attached ? Is one of these better than the other ? Are they the same ? > > What's the difference ? They are not the same. Your UNIX password is traditionally a string which is salted and encrypted using DES, SHA1, or similar. An SSH key is actually RSA or DSA public key pair which can be manipulated as generic ASN.1 data via openssl rsa or openssl dsa. For example, you can add or remove a passphrase from an existing keypair via the following: cd ~/.ssh mv id_dsa id_dsa_201409191 openssl dsa -in id_dsa_20140911 -passout 'pass:mypass' -des3 -out id_dsa chmod go-rw id_dsa ...although using AES128 or stronger might be prudent, if everything you login to supports it. (Some other folks seem to recommend using PKCS#8 format.) If you want to improve security, however, either 2-factor auth or OPIE / one-time passwords would be better than SSH key+passphrase. Regards, -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?08D7B04D-CBBF-4330-BAD6-2668F9560964>