SSH hacked?

Smoot Carl-Mitchell smoot at tic.com
Tue Jan 13 18:11:48 UTC 2009


On Tue, 2009-01-13 at 12:56 -0500, Kent Borg wrote:
> Knute Johnson wrote:
> > Why use passwords at all with SSH? The public key authentication is
> > several orders of magnitude harder to crack than username/password.
> > And it is really easy to use.
> 
> I keep records of all the passwords I use. I keep that list encrypted.
> (And who says the encrypted list is even on my computer?)
> 
> Private ssh keys, on the other hand, need to be in the clear to be
> useful. I get nervous having such valuable data sitting in the clear. A

No, they do not need to be in the clear.  Encrypt your private key and
use ssh-agent to manage them for convenience.  Or if you are really
paranoid type your key passphrase each time you login.  The passphrase
is only used locally and is never sent on the wire to the server. Nor is
the private key sent on the wire to the server.  The server sends the
client soem data and asks the client to encrypt it with the private key
and send it back to the server for verification.  There is a little more
to the protocol than this to prevent person in the middle attacks,
replay attacks, etc, but that is the gist of how the public key
authentication works.

I keep my encrypted private key on my personal notebook and use
ssh-agent.  I have to type my passphrase to decrypt the private key and
set up the agent infrastructure when I login to my notebook. Also my
passphrase is not my login password.  Even if someone manages to login
to my notebook, they still do not have access to my private SSH key.
-- 
Smoot Carl-Mitchell
Computer Systems and
Network Consultant
smoot at tic.com
+1 480 922 7313
cell: +1 602 421 9005




More information about the ubuntu-users mailing list