passwordless ssh from laptop
Chris Green
cl at isbd.net
Thu Dec 29 09:46:09 UTC 2016
On Thu, Dec 29, 2016 at 10:59:39AM +0900, Joel Rees wrote:
> On Mon, Dec 26, 2016 at 7:26 PM, Chris Green <cl at isbd.net> wrote:
> > On Mon, Dec 26, 2016 at 09:35:11AM +0000, Colin Law wrote:
> >> On 26 December 2016 at 06:26, Karl Auer <kauer at biplane.com.au> wrote:
> >> >
> >> > ssh logins without passwords should be used only for strictly limited
> >> > purposes, such as backups. Always use extra security, such as IP
> >> > address restrictions or command restrictions. Ideally, don't use
> >> > passwordless logins at all.
> >> >
> >> > Also, read this: http://biplane.com.au/blog/?p=426
> >>
> >> That link does not appear to agree with your contention that one
> >> should not allow access via keys, finishing with the comment:
> >> "By the way, if you think your password is safe because it is
> >> complicated or unusual – you are probably wrong. Use publickey only,
> >> and protect your keys with long, strong passphrases."
> >>
> > How is a 'long, strong passphrase' any better than a 'long, strong
> > password'? As a user I have to remember either one or the other, it's
> > no easier to use a long, strong key than it is to use that same string
> > as a password.
>
> I think the distinction has become fairly general in practice --
>
> Passphrases assumed to be used in indirect authentication like public
> key, and passwords being used when directly authenticating.
>
> And (good) passwords being strings like "m0n<e4UR at Tom" and (good)
> passphrases being more like "I have a monk{y for your atom, Kite."
>
> Neither of which is any good, for either me or you, now that I have posted this.
>
> Which one would you find easier to remember?
>
But how does it help? I can just as easily have a long password, like
"I have a monk{y for your atom, Kite."
If I use passwords then I have to enter them every time I log in, if I
use a passphrase then I *might* have to type it in every time I log
in, it depends on how I'm using the system. If the passphrase is kept
in ssh-agent or something similar then that's a *big* security hole
(for me anyway) as it means that anyone getting to my unattended
laptop will have access to remote systems. Forcing password use on
those remote systems means that this doesn't happen.
--
Chris Green
More information about the ubuntu-users
mailing list