From owner-freebsd-questions@FreeBSD.ORG Mon Oct 11 08:10:03 2004 Return-Path: <owner-freebsd-questions@FreeBSD.ORG> Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF48316A4CE for <freebsd-questions@freebsd.org>; Mon, 11 Oct 2004 08:10:03 +0000 (GMT) Received: from hobbit.neveragain.de (neveragain.de [217.69.76.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id C841F43D53 for <freebsd-questions@freebsd.org>; Mon, 11 Oct 2004 08:10:02 +0000 (GMT) (envelope-from amf@hobbit.neveragain.de) Received: from hobbit.neveragain.de (amf@localhost [127.0.0.1]) i9B89xZZ026041 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 11 Oct 2004 10:09:59 +0200 Received: (from amf@localhost) by hobbit.neveragain.de (8.13.1/8.13.1/Debian-14) id i9B89uWu026040; Mon, 11 Oct 2004 10:09:56 +0200 Date: Mon, 11 Oct 2004 10:09:56 +0200 From: Dennis Koegel <amf@hobbit.neveragain.de> To: Matt Juszczak <matt@atopia.net> Message-ID: <20041011080956.GA25514@neveragain.de> References: <Pine.NEB.4.60.0410071514530.27025@mx.freeshell.org> <20041008072454.GB16547@neveragain.de> <20041010164426.Y57852@scruffy.atopia.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041010164426.Y57852@scruffy.atopia.net> X-PGP-KeyID: 0D73E19A User-Agent: Mutt/1.5.6+20040722i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.4 (hobbit.neveragain.de [127.0.0.1]); Mon, 11 Oct 2004 10:09:59 +0200 (CEST) cc: freebsd-questions@freebsd.org cc: Luke <luked@pobox.com> Subject: Re: Protecting SSH from brute force attacks X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions <freebsd-questions.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions> List-Post: <mailto:freebsd-questions@freebsd.org> List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=subscribe> X-List-Received-Date: Mon, 11 Oct 2004 08:10:03 -0000 On Sun, Oct 10, 2004 at 04:45:26PM -0400, Matt Juszczak wrote: > Isn't it hard (and sort of more insecure) to use the keys? Why that? Start an agent together with your login session, have it load the key(s) (after you've entered the holy passphrase(s), of course) and you're set to go. Simply 'ssh foo' and you're logged in. > For instance, anyone who gets access to your home dir would be able to > get the keys for all your servers.... True, but that's why they're protected by a passphrase (which is symmetric encryption, i.e. you can change it without having to tell your servers about it). > I'm just kind of confused on how the keys could be much more secure > than passwords. Well, a password works from everywhere and can be brute-forced. Or someone might get to know it via others means, hacking one of your target hosts for example (the password is sent over the wire when you log in!). If someone compromises a target host and you use public keys, the attacker only gains your public key. Which he can have. ;) OTOH your point is valid, of course. But when someone is in control of your machine, he might intercept your password anyway... - D.