[ale] Holy cow! Published in Slashdot!!

Scott Plante splante at insightsys.com
Fri Dec 28 11:37:48 EST 2012 

Presumably you're using ssh-agent & ssh-add, not just creating keys without passphrases. Other than for some very limited accounts designed for cron tasks, I can't see a good reason for having ssh keys without a good passphrase. Then, even if your box gets compromised the keys can't be used without the passphrase (but you don't have to type it for each individual ssh command either!) I used ssh for years before bothering to learn how to set up ssh-agent/ssh-add. It's definitely made life easier. Since you don't have to type it as often, you can make a longer, more complex passphrase. I'd hate to type 16 characters for every ssh/scp I have to do! 


Of course, once you have access to the public and private keys, the passphrase could be brute forced without connecting to the remote system, correct? In that sense, a passphrase is less secure than a password you use to connect to a remote system, as the remote system can detect incorrect guesses and lock the account. Does it make sense to keep your public keys separate from and not easily associated with your private keys, just in case your box does need get hacked? Do you need the public key to brute force the passphrase on a private key? 


Congrats, Charles! 


Scott 

----- Original Message -----

From: "James Sumners" <james.sumners at gmail.com> 
To: "Atlanta Linux Enthusiasts" <ale at ale.org> 
Sent: Thursday, December 27, 2012 2:27:27 PM 
Subject: Re: [ale] Holy cow! Published in Slashdot!! 

Hell with that. I create a new key for each system and add an entry to my ~/.ssh/config to use it. Thus, I use a unique key for each system and forget all about using a password to connect. 

On Thursday, December 27, 2012, Michael B. Trausch wrote: 


On 12/27/2012 09:18 AM, Charles Shapiro wrote: 
> A lifelong ambition is fulfilled... I make Slashdot's front page ( 
> http://yro.slashdot.org/story/12/12/26/1459248/lax-ssh-key-management-a-big-problem 
> ) !! 
> 
> charlesTheLurker is me... I reckon it's time to update the ol' resume. 

Awesome! :-) 

Some of the comments on that article from people that claim to be in the 
field are a bit disturbing, though... 

Brings up an interesting point. Moving away from passwords to cached 
private keys is something that most people _do_ see as lesser security, 
despite the fact that when properly managed it provides far better 
security. I wonder how it is we're supposed to combat that problem. 
Education doesn't work; a lot of people's eyes glaze over if you try to 
explain to them how it provides superior security. 

--- Mike 

_______________________________________________ 
Ale mailing list 
Ale at ale.org 
http://mail.ale.org/mailman/listinfo/ale 
See JOBS, ANNOUNCE and SCHOOLS lists at 
http://mail.ale.org/mailman/listinfo 




-- 
James Sumners 
http://james.roomfullofmirrors.com/ 

"All governments suffer a recurring problem: Power attracts pathological personalities. It is not that power corrupts but that it is magnetic to the corruptible. Such people have a tendency to become drunk on violence, a condition to which they are quickly addicted." 

Missionaria Protectiva, Text QIV (decto) 
CH:D 59 

_______________________________________________ 
Ale mailing list 
Ale at ale.org 
http://mail.ale.org/mailman/listinfo/ale 
See JOBS, ANNOUNCE and SCHOOLS lists at 
http://mail.ale.org/mailman/listinfo 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20121228/bfc7d661/attachment.html>

More information about the Ale mailing list