[ale] Holy cow! Published in Slashdot!!
Wolf Halton
wolf.halton at gmail.com
Mon Dec 31 19:45:18 EST 2012
If you remove the human-readable user at server-example.com from the end of
the keys in authorized_keys and maybe edit your history on the sending
server, how will they know where to go, even if they are sitting at the
console of your not-publicly-accessible workstation?
I think authorized keys is the lesser evil. I also shell in through a vpn
tunnel to most of my servers, so unless they know my keyring password, they
cannot access any machines anyway.
On Fri, Dec 28, 2012 at 11:37 AM, Scott Plante <splante at insightsys.com>wrote:
> Presumably you're using ssh-agent & ssh-add, not just creating keys
> without passphrases. Other than for some very limited accounts designed for
> cron tasks, I can't see a good reason for having ssh keys without a good
> passphrase. Then, even if your box gets compromised the keys can't be used
> without the passphrase (but you don't have to type it for each individual
> ssh command either!) I used ssh for years before bothering to learn how to
> set up ssh-agent/ssh-add. It's definitely made life easier. Since you don't
> have to type it as often, you can make a longer, more complex passphrase.
> I'd hate to type 16 characters for every ssh/scp I have to do!
>
> Of course, once you have access to the public and private keys, the
> passphrase could be brute forced without connecting to the remote system,
> correct? In that sense, a passphrase is less secure than a password you use
> to connect to a remote system, as the remote system can detect incorrect
> guesses and lock the account. Does it make sense to keep your public keys
> separate from and not easily associated with your private keys, just in
> case your box does need get hacked? Do you need the public key to brute
> force the passphrase on a private key?
>
> Congrats, Charles!
>
> Scott
>
> ------------------------------
> *From: *"James Sumners" <james.sumners at gmail.com>
> *To: *"Atlanta Linux Enthusiasts" <ale at ale.org>
> *Sent: *Thursday, December 27, 2012 2:27:27 PM
> *Subject: *Re: [ale] Holy cow! Published in Slashdot!!
>
>
> Hell with that. I create a new key for each system and add an entry to my
> ~/.ssh/config to use it. Thus, I use a unique key for each system and
> forget all about using a password to connect.
>
> On Thursday, December 27, 2012, Michael B. Trausch wrote:
>
>> On 12/27/2012 09:18 AM, Charles Shapiro wrote:
>> > A lifelong ambition is fulfilled... I make Slashdot's front page (
>> >
>> http://yro.slashdot.org/story/12/12/26/1459248/lax-ssh-key-management-a-big-problem
>> > ) !!
>> >
>> > charlesTheLurker is me... I reckon it's time to update the ol' resume.
>>
>> Awesome! :-)
>>
>> Some of the comments on that article from people that claim to be in the
>> field are a bit disturbing, though...
>>
>> Brings up an interesting point. Moving away from passwords to cached
>> private keys is something that most people _do_ see as lesser security,
>> despite the fact that when properly managed it provides far better
>> security. I wonder how it is we're supposed to combat that problem.
>> Education doesn't work; a lot of people's eyes glaze over if you try to
>> explain to them how it provides superior security.
>>
>> --- Mike
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
>
> --
> James Sumners
> http://james.roomfullofmirrors.com/
>
> "All governments suffer a recurring problem: Power attracts pathological
> personalities. It is not that power corrupts but that it is magnetic to the
> corruptible. Such people have a tendency to become drunk on violence, a
> condition to which they are quickly addicted."
>
> Missionaria Protectiva, Text QIV (decto)
> CH:D 59
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
--
Wolf Halton
This Apt Has Super Cow Powers - http://sourcefreedom.com
Open-Source Software in Libraries - http://FOSS4Lib.org
Advancing Libraries Together - http://LYRASIS.org
Apache Open Office Developer wolfhalton at apache.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20121231/d45db6c8/attachment.html>
More information about the Ale
mailing list