From owner-freebsd-security Tue Feb 5 10:45:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from dazed.slacker.com (dazed.slacker.com [65.70.212.186]) by hub.freebsd.org (Postfix) with SMTP id 72EC337B404 for ; Tue, 5 Feb 2002 10:45:43 -0800 (PST) Received: (qmail 94177 invoked by uid 1000); 5 Feb 2002 18:45:42 -0000 Date: Tue, 5 Feb 2002 18:45:42 +0000 From: David McNett To: Michael Vince , security@FreeBSD.ORG Subject: Re: SSH Message-ID: <20020205184542.GA92808@dazed.slacker.com> References: <028101c1ae1b$55ee38b0$2e01a8c0@MICHAEL2> <20020205181357.8AEBD3B1AB@gemini.nersc.gov> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020205181357.8AEBD3B1AB@gemini.nersc.gov> User-Agent: Mutt/1.3.25i X-Operating-System: FreeBSD 4.4-STABLE i386 X-Distributed: Join the Effort! http://www.distributed.net/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 05-Feb-2002, Eli Dart wrote: > In reply to "Michael Vince" : > > I just wanted to know how dangerous are ssh keys with no password = > > phrases? > > I just find my self having alot of passwords to remember > > If someone owns your keystrokes (and, we can assume, your machine), > they now own all the servers instead of just the ones you logged into > while they were capturing keystrokes. As an aside, choosing a pass > phrase that is subject to dictionary attack or short enough to > brute-force isn't a good idea ("pepsi" has both problems). Eli raises some good points about how important it can be to select passphrases which are sufficiently secure. I think that "pepsi" would be insufficient to make me feel secure. From an theoretical standpoint, it's possible that an attacker who gained access to several private keys all known to be encrypted with the same passphrase might be able to accelerate there attempts to access the keys with that knowledge, but I'm not aware of any such method. I doubt it's relevant to real-world security concerns. Bottom line, though, it sounds like what you really want is to familiarize yourself with the use of ssh-agent to cache your sufficiently-long passphrase for local use. OpenSSH has a tool designed to strike a comfortable balance between security and ease of use which will allow you to cache your passphrase in memory (accessible only to you and root) and then use the cached, decrypted copy of the private key for all subsequent authorizations. As long as you're mindful to clear the cache when you're done or step away (I have my screensaver do it automatically) it doesn't add nearly as much risk as keeping unprotected private keys in your homedir. And since it reduces the number of times you have to type your passphrase, you'll be less motivated to select an unsafe passphrase. man ssh-agent for a start, and take a look at the ssh-askpass port if you're in X for a nice GUI supplement to the tool. -- ________________________________________________________________________ |David McNett |To ensure privacy and data integrity this message has| |nugget@slacker.com|been encrypted using dual rounds of ROT-13 encryption| |Austin, TX USA |Please encrypt all important correspondence with PGP!| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message