BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] ssh keys question
- Subject: [Discuss] ssh keys question
- From: kentborg at borg.org (Kent Borg)
- Date: Fri, 17 Jun 2016 19:31:11 -0400
- In-reply-to: <ee255849986a8455a436c0cff185444c.squirrel@webmail.ci.net>
- References: <mailman.11.1466179204.26887.discuss@blu.org> <ee255849986a8455a436c0cff185444c.squirrel@webmail.ci.net>
On 06/17/2016 02:20 PM, Rich Braun wrote: > You should also encrypt your private key with a passphrase, using 'ssh-keygen > -p'. The ssh-agent allows you to use it repeatedly for the duration of a > session without having to retype the password multiple times. If you think anyone motivated might ever get a hold of your encrypted file, use a *really* good passphrase. Something in excess of 100-bits of entropy in it. That's why I like much-maligned passwords. A very easy to remember and to type password such as: denver-deluxe-donald Effectively dice-ware. It has 32-bits of entropy in it. Because sshd throttles login attempts, I'll be dead before anyone can brute-force it. (Except I told you all the password! Now it'll be easy! I know...I'll change it to perform-rebel-tennis! Oh, shit, now you know the replacement, too.) If a password is (1) good and (2) not reused, it is good enough. Period. I realize my impractical, secret-can't-be-duplicated weapon here is the "not reused"-part. It seems there are only a handful of us on this planet who can manage that. Everyone reuses passwords dadada...but for the few of us who don't, they are a powerful technology. And an ssh password doesn't have the extra attack surface of that encrypted file (backed up?) protected with only a crappy passphrase (bahama-herbert-cartel). Want another dice-ware style password, but this time with 128-bits of entropy? snow-bruce-block-absent-canal-trick-result-gorilla-diana-quebec-atomic-karma Maybe you prefer that oh-so-catchy number: c40f62dd-7849-40ad-a9ca-4a102f6e37b2 Not so easy to remember, nor to type blindly. But if you want to survive a brute-force attack on an encrypted file, having 128-bits of entropy more your target. It is easy to "curve fit" and an idea around three random words (a good password), but horrible to try it on twelve (a good passphrase)--it gets very bumpy. And blind typing it without an echo is additionally error prone. Typing passwords can be easy, typing a good encryption key cannot. Using ssh keys implies you protect those keys with another strong key, something that is really burdensome if done conservatively. -kb, the Kent who just smiles when he sees breakin attempts (on root, who can't login anyway) when his user password (bingo-soviet-exotic) will last longer than he will. P.S. A way to prevent (or slowdown) password reuse? Don't let users pick their own passwords! Tell User One his password is billy-active-decade, and tell User Two her password is subject-craft-mexico. Done. One of my banks does this, with just a 7-character password. When I login they choose three of the characters to ask for (take that, average spyware). Though recently it seems they are a little freaked out that every time I log in their cookie is gone: seems each time they have been asking for a different three characters. I haven't been keeping track, but it is possible they have been keeping one character in reserve and I have never typed it in their login--and therefore most spyware wouldn't know that obscure holdout. Maybe they will use it the day the decide to issue me with a new password.
- Follow-Ups:
- [Discuss] ssh keys question
- From: ingegnue at riseup.net (IngeGNUe)
- [Discuss] ssh keys question
- From: bill at horne.net (Bill Horne)
- [Discuss] ssh keys question
- References:
- [Discuss] ssh keys question
- From: richb at pioneer.ci.net (Rich Braun)
- [Discuss] ssh keys question
- Prev by Date: [Discuss] SSH port forwarding through middleman (bastion host)
- Next by Date: [Discuss] SSH port forwarding through middleman (bastion host)
- Previous by thread: [Discuss] ssh keys question
- Next by thread: [Discuss] ssh keys question
- Index(es):