Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Dec 2015 20:55:52 +0100
From:      Terje Elde <>
To:        Matthew Seaman <>
Subject:   Re: best practice for locking down private jail?
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

> On 03 Dec 2015, at 09:22, Matthew Seaman <> wrote:
> Keys *and* a password doesn't offer any additional security over just
> keys alone.

Actually, that's not true.=20

It's a fairly common thought, since both are key+password, but there's a ver=
y real difference; online vs. offline.=20

If you have an encrypted ssh private key, you can try to brute-force the pas=
sword as much as you'd like, in the comfort of your own home.=20

The password on the server though, would have to be tried against the server=
, leaving logs, possibly getting your IP firewalled, and alerting admin.=20

This is also where it gets interesting; if you check key before password, so=
meone uses the key but fails at the password a mere 3 times, you could revok=
e the key, and lock up the user.=20

That's what I'd call a pretty significant boost in security.=20

(Granted, the last part of that would perhaps require some scripting)

And your point isn't completely without merit. For a lot of cases it doesn't=
 matter; if the key is compromised because someone got access to the system w=
hile in use (as opposed to say, theft, DHS etc), there's a good chance the a=
ttacker could keylog the passphrase, at which point most of this would be mo=

To sum up; for some attackers/scenarios, it can boost security significantly=
, for others it hardly matters. For most, it's probably better to just go wi=
th keys, or take another step up and look at 2FA, or moving SSH keys to hard=
ware (smartcard, yubikey...)

I'm not suggesting everyone run out and set passwords, not adopt anything I m=
ention here, my point is just that there's a difference between encrypted ke=
y and key+password, and the difference can be leveraged for gain where appro=

Oh, and final note; there's some possible fun to be had here if anyone is in=
 a scripting mood, such as setting up a system to revoke SSH-keys to ALL mac=
hines, if key works but password fails on ANY, if key is successfully used f=
rom a non-whitelisted IP, and so on. Later SSHs have some CA-infrastructure,=
 ink. ability to distribute revocation-lists. That opens up to being able to=
 keep revocation ready at hand, and distributing only after its needed.=20


Want to link to this message? Use this URL: <>