Date: Tue, 05 Feb 2002 10:13:57 -0800 From: Eli Dart <dart@nersc.gov> To: "Michael Vince" <michael@roq.com> Cc: security@FreeBSD.ORG Subject: Re: SSH Message-ID: <20020205181357.8AEBD3B1AB@gemini.nersc.gov> In-Reply-To: Message from "Michael Vince" <michael@roq.com> of "Tue, 05 Feb 2002 19:01:36 %2B1100." <028101c1ae1b$55ee38b0$2e01a8c0@MICHAEL2>
next in thread | previous in thread | raw e-mail | index | archive | help
--==_Exmh_-259710762P
Content-Type: text/plain; charset=us-ascii
In reply to "Michael Vince" <michael@roq.com> :
> Hey all.
> I was thinking about setting up a maximum lazyness maximum security =
> security policy for my self.
> I just wanted to know how dangerous are ssh keys with no password =
> phrases? I mean if some one is packet sniffing you how much more bad is =
> it to have a ssh2 key with no pass phrase compared to one that does..
It won't help someone sniffing the wire. If someone eats the machine
that contains the keys, you're much worse off.
> And how bad would it be to have all the servers I have access to with =
> different keys but the exact same password phrase like "pepsi"?
If someone owns your keystrokes (and, we can assume, your machine),
they now own all the servers instead of just the ones you logged into
while they were capturing keystrokes. As an aside, choosing a pass
phrase that is subject to dictionary attack or short enough to
brute-force isn't a good idea ("pepsi" has both problems).
> And is it more secure to have a pass phraseless (no pass phrase) ssh key =
> compared to just using ssh with no keys and just using a password that =
> belongs to the unix account?
Again, it depends on how you get owned. If you have keys with no
pass phrase, rooting a service on the machine is enough. If you
require input from the user as well, then the attacker has to go
through the additional step of capturing keystrokes.
> I just find my self having alot of passwords to remember
For me, this is a fact of life. I've worked at it for a while and am
now reasonably good at it. Changing things to make your life easier
will generally provide attackers with additional points of leverage.
I prefer to practice my memorization skills.....
--eli
--==_Exmh_-259710762P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: This is a comment.
iD8DBQE8YCDlLTFEeF+CsrMRAn+OAJwIF33yjcBjRgmOnkcBBgmwGXMxpACgllZp
1fD6ESGCqnkcMO/37pL0HFU=
=0EBo
-----END PGP SIGNATURE-----
--==_Exmh_-259710762P--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020205181357.8AEBD3B1AB>