Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 22 Nov 2011 03:34:13 -0800
From:      perryh@pluto.rain.com
To:        mmbsd1982@yahoo.com
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Whats the difference between password+RSA, and password-protected RSA ?
Message-ID:  <4ecb88b5.qe8ftxOGspcS5omM%perryh@pluto.rain.com>
In-Reply-To: <1321910341.33510.YahooMailClassic@web124703.mail.ne1.yahoo.com>
References:  <1321910341.33510.YahooMailClassic@web124703.mail.ne1.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Mm Bsd <mmbsd1982@yahoo.com> wrote:

> Let's say I'd like to add a small amount of extra security to my
> SSH login process.
>
> Let's say I decide the way I want to do this is by requiring
> BOTH a password and an RSA key ...  So to log in, I would be
> required to enter a normal unix password, but I would ALSO be
> required to hold a proper RSA public key.
>
> My question is this:
>
> In terms of security (and correctness ?) what's the difference
> between this (unix password + SSH RSA key) and simply generating
> my RSA key *with* a password ?  Both ways require me to "have
> something" and "know something", but they are obviously different,
> technically.

Suppose you are a bank branch manager, and consider your RSA key
as the combination to the vault.  (Also suppose that you are the
only person authorized to open the vault, and that the combination
is complicated enough that you can't just remember it -- it has to
be written down.)

Normal file security (chmod 400) is like storing the paper, on which
the combination is written, inside your locked (personal) office.
Someone other than you, e.g. the janitor, may have a key to your
office.

Protecting the RSA key with a password is like locking the paper in
your desk (which is in your locked office).  Only you have a key to
the desk.

Requiring a login password in addition to the RSA key is like adding
a second, interior door -- to which you have the only key -- to the
vault.  That second door is nowhere near as strong as the main vault
door, but it does provide some additional protection.

There's no reason in principle why you can't protect your RSA key
with a password, and also require a (different) password for login
in addidion to the RSA key.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4ecb88b5.qe8ftxOGspcS5omM%perryh>