From owner-freebsd-security Mon Feb 11 18:20:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 0F96A37B440 for ; Mon, 11 Feb 2002 18:16:38 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id AE1A523015; Mon, 11 Feb 2002 21:16:38 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 5092C9EFA6; Mon, 11 Feb 2002 21:11:45 -0500 (EST) Date: Tue, 5 Feb 2002 18:45:42 +0000 From: David McNett To: Michael Vince , security@FreeBSD.ORG Subject: Re: SSH Message-Id: <20020212021145.5092C9EFA6@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 05-Feb-2002, Eli Dart wrote: > In reply to "Michael Vince" : > > I just wanted to know how dangerous are ssh keys with no password = > > phrases? > > I just find my self having alot of passwords to remember > > If someone owns your keystrokes (and, we can assume, your machine), > they now own all the servers instead of just the ones you logged into > while they were capturing keystrokes. As an aside, choosing a pass > phrase that is subject to dictionary attack or short enough to > brute-force isn't a good idea ("pepsi" has both problems). Eli raises some good points about how important it can be to select passphrases which are sufficiently secure. I think that "pepsi" would be insufficient to make me feel secure. From an theoretical standpoint, it's possible that an attacker who gained access to several private keys all known to be encrypted with the same passphrase might be able to accelerate there attempts to access the keys with that knowledge, but I'm not aware of any such method. I doubt it's relevant to real-world security concerns. Bottom line, though, it sounds like what you really want is to familiarize yourself with the use of ssh-agent to cache your sufficiently-long passphrase for local use. OpenSSH has a tool designed to strike a comfortable balance between security and ease of use which will allow you to cache your passphrase in memory (accessible only to you and root) and then use the cached, decrypted copy of the private key for all subsequent authorizations. As long as you're mindful to clear the cache when you're done or step away (I have my screensaver do it automatically) it doesn't add nearly as much risk as keeping unprotected private keys in your homedir. And since it reduces the number of times you have to type your passphrase, you'll be less motivated to select an unsafe passphrase. man ssh-agent for a start, and take a look at the ssh-askpass port if you're in X for a nice GUI supplement to the tool. -- ________________________________________________________________________ |David McNett |To ensure privacy and data integrity this message has| |nugget@slacker.com|been encrypted using dual rounds of ROT-13 encryption| |Austin, TX USA |Please encrypt all important correspondence with PGP!| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message