Ubuntu server remote file access

Kent Borg kentborg at borg.org
Tue Oct 1 12:58:46 UTC 2013 

On 09/30/2013 04:02 PM, Colin Law wrote:
> The PC is at my home so normally no-one with evil intent has physical 
> access to it. If my PC is stolen then it will be by someone who wants 
> to sell it, not in order to gain access to my servers. Therefore there 
> is no benefit for me in adding a passphrase. For others the situation 
> is different of course. 

Physical access isn't the only risk. Any software running under your 
user ID can read that key file and send it off over the internet, right 
through your firewall, lickettysplit . Yes, if someone manages to root 
your machine they can sniff your keyboard while you type passwords, 
etc.  But doing elaborate stuff is a lot more work than doing simple 
stuff.  Looking in .ssh for keys is simple and doesn't require root.  
Kind of like the folks who will try a few hundred passwords on one of my 
ssh servers and then give up.  Easy is easier than hard.

Again, if you have thought through your circumstance and have decided 
what is right, cool.  But there are issues that can arise when looking 
at the larger system, independent of the cryptological strength of ssh's 
use of keys.

> My understanding is that from the point of view of a hacker probing
> random IP addresses and trying to break in, the keys are more secure.
> For most I believe that is the key point.

Unless there is a fundamental bug in ssh, it is not true that one is 
more secure than the other, period.

The ssh key does have the advantage that should start out strong (if 
generated on a working system with a good random number generator, etc.) 
whereas a password, if chosen by a human, could start out weak.  (Which 
is why I say passwords should have components that are determined by 
something truly random, not just something that seems obscure to a human.)

But once you have a good password or a good key, no one is going to get 
in by probing your system and making guesses.  The security becomes 
dependent on whether each is kept secret.  (Which is why I say passwords 
should not be reused on different sites.)


Yes, the use of passwords hinges on choosing strong passwords and 
keeping them secret.  But whether you use ssh keys or not, you likely 
still have other passwords in your life, you should choose strong ones 
and keep them secret.  Most people both choose weak passwords and do not 
keep them secret.  In the face of that, a lot of other worries seem trivial.


-kb

More information about the ubuntu-users mailing list