From owner-freebsd-questions@FreeBSD.ORG Mon Sep 15 20:27:50 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5514A723 for ; Mon, 15 Sep 2014 20:27:50 +0000 (UTC) Received: from mail-oa0-f46.google.com (mail-oa0-f46.google.com [209.85.219.46]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1DF0FB10 for ; Mon, 15 Sep 2014 20:27:49 +0000 (UTC) Received: by mail-oa0-f46.google.com with SMTP id i7so2044365oag.33 for ; Mon, 15 Sep 2014 13:27:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:cc:content-type; bh=FMUEQPJ91ghXpVeDd8nL7rdbi93yKaN1935RR7ZByiA=; b=Cv/wvJeDKRbI4uKJr9sjaF71Kynl13iM9EQXg5tiSC4PJ3hLoFXVATHu9kDwjhhSbR qKsSr6sF78tISZSHRlcHKdL09ClAGcUWT5rmgpnEAdBCOzHxqoIncE7/H5N//UlCoOe8 YhcMn94aAfcna0gS/8Jwpx7qUHRYKBy68uH6aWglY6xbwrijcha5tMf2f59EIBqup2La EawFHx6qzzOBrfD/6sbwNlEzKCr4gcVdh/MAaO+cxg/P1qtOjV5MWXDi+D9RLELwS+5y LxMKg2lS/9T2KHFYiseVXUVJamu3AvXpNwqVc6fO61r0sIIHV+RI6Jb3G0ADRXFTnBcI PlfA== X-Gm-Message-State: ALoCoQkbb34mislN7v451T/2+wUs/YOnR+cGzpPBdjznikXC46PwuOEJ7nfv9m0y/bbOUsSrOKZ+ MIME-Version: 1.0 X-Received: by 10.60.96.65 with SMTP id dq1mr30328676oeb.33.1410812862616; Mon, 15 Sep 2014 13:27:42 -0700 (PDT) Received: by 10.60.220.134 with HTTP; Mon, 15 Sep 2014 13:27:42 -0700 (PDT) In-Reply-To: References: <08D7B04D-CBBF-4330-BAD6-2668F9560964@mac.com> Date: Mon, 15 Sep 2014 13:27:42 -0700 Message-ID: Subject: Re: comparing SSH key and passphrase auth vs. an SSH key *with* a passphrase ... From: Michael Sierchio Cc: FreeBSD - Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2014 20:27:50 -0000 On Mon, Sep 15, 2014 at 12:13 PM, Charles Swiger wrote: > On Sep 15, 2014, at 12:07 PM, John Case wrote: >> Ok, thanks - but SSH key+passphrase is still much better than just plain old password, yes ? > > Yes, it's better. However, the default storage that SSH uses for private keys with a passphrase isn't as strong as it could be. Agreed. Though there are different kinds of threats. Disabling password auth means no brute force password attempt will work. If you do as I do and store your encrypted SSH key on a secure (assume for the moment that's true :-) USB vault, and add it to an ssh-agent on the local host, and enable agent forwarding - we've come close to SSO with reasonable security. Newer versions of OpenSSH support pam-google-authenticator, which is a very nice way of accomplishing multifactor authentication. I tend to use this everywhere. Central management is left as an exercise for the reader (pam_url on Linux is a possible starting point). - M