From owner-freebsd-security Mon Feb 11 18:19:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 49B5637B431 for ; Mon, 11 Feb 2002 18:16:38 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 5FB0D23010; Mon, 11 Feb 2002 21:16:38 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id AB98D9EE47; Mon, 11 Feb 2002 21:11:44 -0500 (EST) Date: Tue, 5 Feb 2002 14:26:58 +0000 From: Rasputin To: Michael Vince Cc: security@freebsd.org Subject: Re: SSH Reply-To: Rasputin Message-Id: <20020212021144.AB98D9EE47@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Michael Vince [020205 08:05]: > Hey all. > I was thinking about setting up a maximum lazyness maximum security security policy for my self. > I just wanted to know how dangerous are ssh keys with no password phrases? You need to keep them safe, since any old monkey can use them to get into boxes as you ( although you can restirct that slightly - see the AUTHORIZED_KEYS part in sshd(8) ) > I mean if some one is packet sniffing you how much more bad is it to have a ssh2 > key with no pass phrase compared to one that does.. Makes no difference as far as sniffing is concerned - network traffic relies on the key, not the phrase. > And how bad would it be to have all the servers I have access to with different keys > but the exact same password phrase like "pepsi"? The nyou're replacing multiple passwords with multiple keys, don't see how that'd help you. At least one key being stolen won't compromise all servers. > And is it more secure to have a pass phraseless (no pass phrase) ssh key compared to > just using ssh with no keys and just using a password that belongs to the unix account? If you can't kee pa key safe, then a frequently-changed password will do, I guess - although bear in mind you don't have the same ability to stop logins from other boxes (not in SSH itself, anyway) -- Democracy is a government where you can say what you think even if you don't think. Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message