BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] deadmanish login?
- Subject: [Discuss] deadmanish login?
- From: john at johnbyrnes.info (John Byrnes)
- Date: Fri, 10 Feb 2017 22:50:35 -0500
- In-reply-to: <6eb9dd4a-2c91-69e5-7ef8-4462f8daf42a@borg.org>
- References: <a47bda52-ca1f-15ab-2f57-3ab5d1519a48@borg.org> <ecfa4f25-9416-ddcc-d92f-7979136fdf96@borg.org> <837eb7de-a956-c4bb-63f4-e1bcfa0e3861@gmail.com> <37fde12c-5572-a9e2-0525-fb37a8400691@borg.org> <5560cbeb-9a49-b959-c28a-44a3f0145d0f@gmail.com> <b261f072-dd42-b3e1-119e-3a380444a4dc@borg.org> <CA+h9Qs59TDWE22RJ561vrLs4J6JmNN9W6Tqg=9mPGTUy4E4KLQ@mail.gmail.com> <01da354a-066d-2c10-1e10-5780569627e5@borg.org> <d08d1f8f-e3ae-2e34-425e-83edf083780e@gmail.com> <6eb9dd4a-2c91-69e5-7ef8-4462f8daf42a@borg.org>
Hi Kent, On Fri, Feb 03, 2017 at 01:20:11PM -0500, Kent Borg wrote: > You are a proponent of ssh keys, right? And you encrypt yours, right? And > you use a passphrase...that has how much entropy? I bet less than 100-bits > of entropy, because typing good passphrases is really hard. I further bet > that your key sits unencrypted much of the time because you are too lazy to > type even your poor passphrase every time you would have to. Good passphrase > hygiene is hard, much harder than good password hygiene. > > Compared to a decent password (that isn't shared between systems*) ssh keys > solve a problem that doesn't exist, yet they create additional problems that > you ignore. > You can keep your ssh keys on a PIN protected smartcard and only insert it when you need to log in somewhere. Your keys never leave the card. When the card is unplugged, an attacker has no access at all. I feel like this is better than a password. It also makes it easier to keep the keys synchronized between boxes. gpg-agent can allow access to GPG keys on a card with the --enable-ssh-support option. === --enable-ssh-support --enable-putty-support Enable the OpenSSH Agent protocol. In this mode of operation, the agent does not only implement the gpg-agent protocol, but also the agent protocol used by OpenSSH (through a separate socket). Consequently, it should be possible to use the gpg-agent as a drop-in replacement for the well known ssh-agent. === Cheers, John
- Follow-Ups:
- [Discuss] deadmanish login?
- From: kentborg at borg.org (Kent Borg)
- [Discuss] deadmanish login?
- References:
- [Discuss] deadmanish login?
- From: kentborg at borg.org (Kent Borg)
- [Discuss] deadmanish login?
- From: kentborg at borg.org (Kent Borg)
- [Discuss] deadmanish login?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] deadmanish login?
- From: kentborg at borg.org (Kent Borg)
- [Discuss] deadmanish login?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] deadmanish login?
- From: kentborg at borg.org (Kent Borg)
- [Discuss] deadmanish login?
- From: jabr at blu.org (John Abreau)
- [Discuss] deadmanish login?
- From: kentborg at borg.org (Kent Borg)
- [Discuss] deadmanish login?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] deadmanish login?
- From: kentborg at borg.org (Kent Borg)
- [Discuss] deadmanish login?
- Prev by Date: [Discuss] deadmanish login?
- Next by Date: [Discuss] deadmanish login?
- Previous by thread: [Discuss] deadmanish login?
- Next by thread: [Discuss] deadmanish login?
- Index(es):