Date: Tue, 5 Feb 2002 18:45:42 +0000 From: David McNett <nugget@slacker.com> To: Michael Vince <michael@roq.com>, security@FreeBSD.ORG Subject: Re: SSH Message-ID: <20020205184542.GA92808@dazed.slacker.com> In-Reply-To: <20020205181357.8AEBD3B1AB@gemini.nersc.gov> References: <028101c1ae1b$55ee38b0$2e01a8c0@MICHAEL2> <20020205181357.8AEBD3B1AB@gemini.nersc.gov>
next in thread | previous in thread | raw e-mail | index | archive | help
On 05-Feb-2002, Eli Dart wrote:
> In reply to "Michael Vince" <michael@roq.com> :
> > I just wanted to know how dangerous are ssh keys with no password =
> > phrases?
> > I just find my self having alot of passwords to remember
>
> If someone owns your keystrokes (and, we can assume, your machine),
> they now own all the servers instead of just the ones you logged into
> while they were capturing keystrokes. As an aside, choosing a pass
> phrase that is subject to dictionary attack or short enough to
> brute-force isn't a good idea ("pepsi" has both problems).
Eli raises some good points about how important it can be to select
passphrases which are sufficiently secure. I think that "pepsi" would
be insufficient to make me feel secure.
From an theoretical standpoint, it's possible that an attacker who gained
access to several private keys all known to be encrypted with the same
passphrase might be able to accelerate there attempts to access the keys
with that knowledge, but I'm not aware of any such method. I doubt it's
relevant to real-world security concerns.
Bottom line, though, it sounds like what you really want is to familiarize
yourself with the use of ssh-agent to cache your sufficiently-long
passphrase for local use. OpenSSH has a tool designed to strike a
comfortable balance between security and ease of use which will allow
you to cache your passphrase in memory (accessible only to you and root)
and then use the cached, decrypted copy of the private key for all
subsequent authorizations. As long as you're mindful to clear the cache
when you're done or step away (I have my screensaver do it automatically)
it doesn't add nearly as much risk as keeping unprotected private keys
in your homedir. And since it reduces the number of times you have to
type your passphrase, you'll be less motivated to select an unsafe
passphrase.
man ssh-agent for a start, and take a look at the ssh-askpass port if
you're in X for a nice GUI supplement to the tool.
--
________________________________________________________________________
|David McNett |To ensure privacy and data integrity this message has|
|nugget@slacker.com|been encrypted using dual rounds of ROT-13 encryption|
|Austin, TX USA |Please encrypt all important correspondence with PGP!|
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020205184542.GA92808>