From owner-freebsd-security Mon Feb 11 18:17:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id E336037B41F for ; Mon, 11 Feb 2002 18:16:11 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id E82012329A; Mon, 11 Feb 2002 21:16:27 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id BD90F9F259; Mon, 11 Feb 2002 21:11:37 -0500 (EST) To: "Michael Vince" Cc: security@FreeBSD.ORG Subject: Re: SSH Date: Tue, 05 Feb 2002 10:13:57 -0800 From: Eli Dart Message-Id: <20020212021137.BD90F9F259@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --==_Exmh_-259710762P Content-Type: text/plain; charset=us-ascii In reply to "Michael Vince" : > Hey all. > I was thinking about setting up a maximum lazyness maximum security = > security policy for my self. > I just wanted to know how dangerous are ssh keys with no password = > phrases? I mean if some one is packet sniffing you how much more bad is = > it to have a ssh2 key with no pass phrase compared to one that does.. It won't help someone sniffing the wire. If someone eats the machine that contains the keys, you're much worse off. > And how bad would it be to have all the servers I have access to with = > different keys but the exact same password phrase like "pepsi"? If someone owns your keystrokes (and, we can assume, your machine), they now own all the servers instead of just the ones you logged into while they were capturing keystrokes. As an aside, choosing a pass phrase that is subject to dictionary attack or short enough to brute-force isn't a good idea ("pepsi" has both problems). > And is it more secure to have a pass phraseless (no pass phrase) ssh key = > compared to just using ssh with no keys and just using a password that = > belongs to the unix account? Again, it depends on how you get owned. If you have keys with no pass phrase, rooting a service on the machine is enough. If you require input from the user as well, then the attacker has to go through the additional step of capturing keystrokes. > I just find my self having alot of passwords to remember For me, this is a fact of life. I've worked at it for a while and am now reasonably good at it. Changing things to make your life easier will generally provide attackers with additional points of leverage. I prefer to practice my memorization skills..... --eli --==_Exmh_-259710762P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: This is a comment. iD8DBQE8YCDlLTFEeF+CsrMRAn+OAJwIF33yjcBjRgmOnkcBBgmwGXMxpACgllZp 1fD6ESGCqnkcMO/37pL0HFU= =0EBo -----END PGP SIGNATURE----- --==_Exmh_-259710762P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message