Date: Fri, 12 Sep 2014 07:16:37 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: comparing SSH key and passphrase auth vs. an SSH key *with* a passphrase ... Message-ID: <54128FC5.3080609@FreeBSD.org> In-Reply-To: <Pine.NEB.4.64.1409112200270.27915@faeroes.freeshell.org> References: <Pine.NEB.4.64.1409112200270.27915@faeroes.freeshell.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --qUhIAgVbKJP0v2F5STSbTxshagkW4UISl Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 11/09/2014 23:04, John Case wrote: > What's the difference between using a UNIX password combined with an SS= H > key (if that actually worked, which it doesn't) and using an SSH key > with a passphrase attached ? Is one of these better than the other ?=20 > Are they the same ? With ssh key based auth, an attacker needs to obtain both your ssh private key and the passphrase used to decrypt it. For password based auth, all they need is the password. Key based auth is definitely the better choice out of those two. When using ssh key based auth, it is vitally important to only store your private key on a secure system: typically this would be your desktop or personal laptop -- which may cause some cognitive dissonance with the ideal of 'secured.' Do use disk encryption on the machine where you store your keys. Alternatively, keep your keys on an encrypted USB stick. Do use ssh-agent(8) or gpg-agent(8) (which I prefer) and the 'ForwardAgent' (-A) option if you need to hop through one machine to reach another. Do not copy your private key to the 1st machine in that situation. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --qUhIAgVbKJP0v2F5STSbTxshagkW4UISl Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) iQJ8BAEBCgBmBQJUEo/NXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkAT5UcP/RQGH9tKYr+3K/+5/o3AP5jo 9ANijf1JpTh4+P/0GHY8If3In4+iip5OmSYhfCeeLsqAHmAowKOCz69yDm0qgd5u n3PA2fqtfvZwFVstUs+8sc+v/CgpBqRS1qMwdNPQPk+nHkh0/rBKXmfm3uYlxUb9 ZCP/qYemSo0d6yJFcvJ10ybvtXv3GVm4Z7bC84N7SrIXDtSupR1uKf4rfn3+IGIo MVhzVTZ6wmvX+j41PnVVlBuX7Jv75kliGb/JbdLihXFv4ZpZHptmgAudQznXDfJx vXDQfxrY/GCotshW/PJ6iICRrYpdWSO4pq/KJYOC0n4YzmlaVs67bZ2HPOIlxICk nr2XOHhUFmxb37Pp47Y/lf0tG9pZGwryGVfzOBJrJ+NuNjLnPHVbZ0kradx3fX31 eaiBi9SgXEXxR4br1D3W0jmJuQSlL8N34PgmLGjgrUp4xqMk9k/piJ68WXo6Sp0Z 1DRlVNy4ZgPZnzIm9t+z3Sor3cbl4yRZeucr/5O2tohPCTW2HjwpA89oGLDAOFV5 WoN+rwaBoY6pmWORgz1YwG/R+PN39zlpM9qAVKxAD5w0v39JuHnWB42RwsL003Cn 8CsidGyxH8/mKU75AsfVSMNTxVsrB6GjyK91EwOxqHL/GtvCII+lswrW0jQcNu/5 uO7il0i2gvJUkPXElV8i =p+r1 -----END PGP SIGNATURE----- --qUhIAgVbKJP0v2F5STSbTxshagkW4UISl--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54128FC5.3080609>