Date: Mon, 15 Sep 2014 13:27:42 -0700 From: Michael Sierchio <kudzu@tenebras.com> Cc: FreeBSD - <freebsd-questions@freebsd.org> Subject: Re: comparing SSH key and passphrase auth vs. an SSH key *with* a passphrase ... Message-ID: <CAHu1Y73WnuuP3B0thJpZA0fhOmqhCD8Xd3resO5nvVeGu-qUjQ@mail.gmail.com> In-Reply-To: <C95AD5C3-85F5-406E-9FAF-88688C63A4F2@mac.com> References: <Pine.NEB.4.64.1409112200270.27915@faeroes.freeshell.org> <08D7B04D-CBBF-4330-BAD6-2668F9560964@mac.com> <Pine.NEB.4.64.1409151906110.5595@faeroes.freeshell.org> <C95AD5C3-85F5-406E-9FAF-88688C63A4F2@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 15, 2014 at 12:13 PM, Charles Swiger <cswiger@mac.com> wrote: > On Sep 15, 2014, at 12:07 PM, John Case <case@SDF.ORG> wrote: >> Ok, thanks - but SSH key+passphrase is still much better than just plain old password, yes ? > > Yes, it's better. However, the default storage that SSH uses for private keys with a passphrase isn't as strong as it could be. Agreed. Though there are different kinds of threats. Disabling password auth means no brute force password attempt will work. If you do as I do and store your encrypted SSH key on a secure (assume for the moment that's true :-) USB vault, and add it to an ssh-agent on the local host, and enable agent forwarding - we've come close to SSO with reasonable security. Newer versions of OpenSSH support pam-google-authenticator, which is a very nice way of accomplishing multifactor authentication. I tend to use this everywhere. Central management is left as an exercise for the reader (pam_url on Linux is a possible starting point). - M
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y73WnuuP3B0thJpZA0fhOmqhCD8Xd3resO5nvVeGu-qUjQ>