SSH publickey auth
Michael Yep
myep at remotelink.com
Mon Jul 11 20:04:06 UTC 2005
I am well acquainted with passwords and passphrases. When I say
password, it more means passphrase.
For all my accounts I use a minimum of 10 digits, use the full 95 char
character set, and generate it with a SHA1PRNG and ill change 1 or 2
characters
I always use different passwords for every account and change them every
30 - 44 days. Now my dilemma is this:
I have high confidence in the standard linux logon, it is tested, and
strong, but with PublicKey auth there is more code (easier for there to
be a bug).
In addition if I *were* to lose my keys, private or both, perhaps
someone could derive my password from a reverse cryptanalysis attack.
Brute force attacks are tough, and thats as much as Id like to give an
attacker, I don't want to give them more tools than they already have.
We once thought MD5 was secure, and SHA1, but weaknesses are found, and
computing power goes up.
Alexander Dalloz wrote:
>Am Sa, den 09.07.2005 schrieb Michael Yep um 1:15:
>
>
>
>>Ok, just to make sure I understand, basically PublicKey auth still uses
>>a password,
>>
>>
>
>Not a password, a passphrase. For example see
>
>http://www.cs.utah.edu/support/faq/faq-ssh.html
>
>"A passphrase is similar to a password, except it can be a phrase with a
>series of words, punctuation, numbers, whitespace, or any string of
>characters you want. Good passphrases are 10-30 characters long, are not
>simple sentences or otherwise easily guessable (English prose has only
>1-2 bits of entropy per character, and provides very bad passphrases),
>and contain a mix of upper and lowercase letters, numbers, and
>non-alphanumeric characters."
>
>http://sial.org/howto/openssh/publickey-auth/
>
>"Do not use your account password, nor an empty passphrase. The password
>should be at least 16 characters long, and not a simple sentence. One
>choice would be several lines to a song or poem, interspersed with
>punctuation and other non-letter characters. The ssh-agent setup notes
>below will reduce the number of times this passphrase will need to be
>used, so using a long passphrase is encouraged."
>
>
>
>>but it is better because you need 2 things, what you have (the
>>certificate), and what you know (the password)
>>
>>
>
>Correct. If someone can get your personal key he could simply do pubkey
>auth to the target system when the key is not protected with a
>passphrase. A key protected by a passphrase too needs the knowledge of
>that passphrase. If you choose a well one (i.e. not just the name of
>your wife or your dog and not something like "I love Linux") then brute
>forcing the passphrase takes ages even for powerful machines.
>
>
>
>>Michael Yep
>>
>>
>
>And to avoid the need to always enter the passphrase each time you login
>using pubkey, there is the ssh-agent. "man ssh-agent" is really
>informative. On top of ssh-agent I recommend the tool keychain, to be
>able to use your passphrase protected pubkey by cronjobs.
>
>Alexander
>
>
>
>
--
Michael Yep
Development / Technical Operations
RemoteLink, Inc.
(630) 983-0072 x164
More information about the fedora-list
mailing list