passwordless ssh from laptop
Chris Green
cl at isbd.net
Mon Dec 26 14:16:19 UTC 2016
On Mon, Dec 26, 2016 at 10:35:54PM +1100, Karl Auer wrote:
> On Mon, 2016-12-26 at 10:23 +0000, Chris Green wrote:
> > [using publickey authtication with ssh is]
> > only 'more secure' in the sense that it's more difficult to
> > decrypt/break a key than it is to decrypt/break a password.
> >
> > IMHO there are situations where it is decidedly *less* secure to use
> > public key authentication. I access my home machine from two or
> > three laptops using ssh. If I use public key authentication from
> > those laptops then if I lose the laptop the keys are vulnerable to an
> > attacker.
> > If I use password authentication then someone who has my
> > laptop has no more information than they would have if trying to
> > break into my systems from anywhere else.
>
> Hm. If you are using password authentication, then anyone can try from
> anywhere to crack your password (assuming the targets are accessible
> from anywhere). If your password is cracked you may never know. The
> attacker does not need to see your password to attack it.
>
No they can't, any remotely sensible system will limit the number of
guesses possible by increasing time between retries and/or limiting
the total number of tries.
> If you are using publickey authentication, no-one ever sees your
> private key to be *able* to attack it. Your private key is never
> transmitted; it is used only to decrypt inbound packets and encrypt
> outbound packets. An attack on your communications is still possible,
> but it is a hugely difficult task because crypto.
>
I did say 'someone who has my laptop'.
> If you lose your laptop, then your keys are indeed available to the
> wily hacker. This is the main reason you should use long, strong
> passphrases. But the only way to attack your ssh keys (aside from
> social engineering and things like keyloggers) is to get your laptop
> first.
>
Exactly! Just what I was saying. My laptop *is* very vulnerable,
thus I don't want *anything* on it that can help an intruder.
--
Chris Green
More information about the ubuntu-users
mailing list