Don's Pages and my Music

Wednesday, July 6, 2011

Safer Access without Passwords | Linux Journal

Safer Access without Passwords

How do you make sure that your passwords are safe? You can make them longer, complicate them by adding odd characters, making sure to use different passwords for each user account that you have. Or, you can simply skip them all together.

The secure shell, ssh, is a key tool in any Linux user's toolbox. As soon as you have more than one machine to interact with, ssh is the obvious choice.

When logging into a remote machine through ssh, you are usually prompted with the remote user's password. An alternative to this is to use an asymmetric key pair.

An asymmetric key pair consists of a private and public key. These are generated from an algorithm - either RSA or DSA. RSA has been around for a long time and is widely supported, even by old legacy implementations. DSA is safer, but requires v2 of the ssh protocol. This is not much of an issue in an open source world - keeping the ssh daemon implementation up to date is not a problem, but rather a requirement. Thus, DSA is the recommended choice, unless you have any specific reason to pick RSA.

The generated keys are larger than a common user password. RSA keys are at least 768 bits, default 2048 bits. DSA keys are 1024, as the standard specifies this.

To generate a DSA key, use the following command:

Read More...
http://www.linuxjournal.com/content/safer-access-without-passwords

Interesting info... I have tried setting this up in the past and got stuck on things that didn't work on one of the machines in the Command Line. So, I got tired of messing with it. If there were an easy GUI way of doing all this. I think average users could do it and take advantage of the extra Security in this method. And like some in the comments section of his Blog say. These files are readable by anyone who gains accecess to your machine. Locally or Remotely... So, if your Hacked, Your Hacked!:O

Don

agents

bitlord's picture

Nice job but you forgot a step or maybe you should add this feature. There is not mention of the agent. You need to do script or run the following commands.

ssh-agent
ssh-add

If you don't do this the remote server will ask you for your passphrase.
You do this then you just type user@server and your in, no intervention needed. If you don't want to use password then you would you want to type in a passphrase?

You need a script if you don't want a lot of agents running.

agent

bitlord's             picture

Nice job but you forgot a step or maybe you should add this feature. There is not mention of the agent. You need to do script or run the following commands.

ssh-agent
ssh-add

If you don't do this the remote server will ask you for your passphrase.
You do this then you just type user@server and your in, no intervention needed.

You need a script if you don't want a lot of agents running.

agent

bitlord's             picture

Nice job but you forgot a step or maybe you should add this feature. There is not mention of the agent. You need to do script or run the following commands.

ssh-agent
ssh-add

If you don't do this the remote server will ask you for your passphrase.
You do this then you just type user@server and your in, no intervention needed.

You need a script if you don't want a lot of agents running.

Promoting Bad Security

Anonymous's picture

I’m amazed this article does not put more emphasis on entering a passphrase, in fact it almost suggests that it is optional. Creating a private key that is not encrypted is a major security risk, especially if your computer is compromised and your private key is stolen.

Actually, using a passphrase

Johan                 Thelin's picture

Actually, using a passphrase key can be argued to be more safe than a 1234 life time password. But, yes, a passphrase is recommended and I could have pushed that point.

Johan Thelin is a consultant working with Qt, embedded and free
software. On-line, he is known as e8johan.

All that glitters is not gold

sorrillo's picture

I don't like writing my passwords into a text file or an excel. If someone gets access to this file he will have access to all my accounts and servers.

I prefer to memorize the password, or better yet the formula, so no one can steal it from me.

The private key is not so different than a plain text file with the passwords. If your computer gets compromised your password can be stolen simply by copying a file.

Of course if your computer gets compromised you have to face the risk of a keylogger as well, which is effective against any password.

Then there's the mobility as well. If you use a memorized password you will not have to worry about carrying a USB drive with your private key in a truecrypt container or whatever way you protect the data from losing it or being stolen. And you will not have to worry about securely deleting the private key from whatever computer you decide to use it. Just, again, only about the keyloggers.

I suppose what I am saying is that there is no magic solution for security, everything has it's risks and it's benefits. Just use whatever method fits better in your case.

Of course there's always the option to use a public/private key and a password if you are paranoid enough ;-)

I was meaning to say what you

Johan                 Thelin's picture

I was meaning to say what you finish your reply with. You can combine a key with a passphrase of choice, thus increasing security.

And you are right. In a mobile world, key files are harder to manage.

But under ordinary circumstances (nothing stolen) keys add to security and convenience, and you can revoke a key. That might be harder to do if someone takes over your password.

Johan Thelin is a consultant working with Qt, embedded and free
software. On-line, he is known as e8johan.

Post new comment

Please note that comments may not appear immediately, so there is no need to repost your comment.
Go there...
http://www.linuxjournal.com/content/safer-access-without-passwords

 



No comments:

Post a Comment