Ubuntu server remote file access
kentborg at borg.org
Tue Oct 1 12:58:46 UTC 2013
On 09/30/2013 04:02 PM, Colin Law wrote:
> The PC is at my home so normally no-one with evil intent has physical
> access to it. If my PC is stolen then it will be by someone who wants
> to sell it, not in order to gain access to my servers. Therefore there
> is no benefit for me in adding a passphrase. For others the situation
> is different of course.
Physical access isn't the only risk. Any software running under your
user ID can read that key file and send it off over the internet, right
through your firewall, lickettysplit . Yes, if someone manages to root
your machine they can sniff your keyboard while you type passwords,
etc. But doing elaborate stuff is a lot more work than doing simple
stuff. Looking in .ssh for keys is simple and doesn't require root.
Kind of like the folks who will try a few hundred passwords on one of my
ssh servers and then give up. Easy is easier than hard.
Again, if you have thought through your circumstance and have decided
what is right, cool. But there are issues that can arise when looking
at the larger system, independent of the cryptological strength of ssh's
use of keys.
> My understanding is that from the point of view of a hacker probing
> random IP addresses and trying to break in, the keys are more secure.
> For most I believe that is the key point.
Unless there is a fundamental bug in ssh, it is not true that one is
more secure than the other, period.
The ssh key does have the advantage that should start out strong (if
generated on a working system with a good random number generator, etc.)
whereas a password, if chosen by a human, could start out weak. (Which
is why I say passwords should have components that are determined by
something truly random, not just something that seems obscure to a human.)
But once you have a good password or a good key, no one is going to get
in by probing your system and making guesses. The security becomes
dependent on whether each is kept secret. (Which is why I say passwords
should not be reused on different sites.)
Yes, the use of passwords hinges on choosing strong passwords and
keeping them secret. But whether you use ssh keys or not, you likely
still have other passwords in your life, you should choose strong ones
and keep them secret. Most people both choose weak passwords and do not
keep them secret. In the face of that, a lot of other worries seem trivial.
More information about the ubuntu-users