passwordless ssh from laptop

Fri Dec 30 00:51:22 UTC 2016

On Thu, Dec 29, 2016 at 6:46 PM, Chris Green <cl at isbd.net> wrote:
> On Thu, Dec 29, 2016 at 10:59:39AM +0900, Joel Rees wrote:
>> On Mon, Dec 26, 2016 at 7:26 PM, Chris Green <cl at isbd.net> wrote:
>> > On Mon, Dec 26, 2016 at 09:35:11AM +0000, Colin Law wrote:
>> >> On 26 December 2016 at 06:26, Karl Auer <kauer at biplane.com.au> wrote:
>> >> >
>> >> > ssh logins without passwords should be used only for strictly limited
>> >> > purposes, such as backups. Always use extra security, such as IP
>> >> > address restrictions or command restrictions. Ideally, don't use
>> >> > passwordless logins at all.
>> >> >
>> >> > Also, read this: http://biplane.com.au/blog/?p=426
>> >>
>> >> That link does not appear to agree with your contention that one
>> >> should not allow access via keys, finishing with the comment:
>> >> "By the way, if you think your password is safe because it is
>> >> complicated or unusual – you are probably wrong. Use publickey only,
>> >> and protect your keys with long, strong passphrases."
>> >>
>> > How is a 'long, strong passphrase' any better than a 'long, strong
>> > password'?  As a user I have to remember either one or the other, it's
>> > no easier to use a long, strong key than it is to use that same string
>> > as a password.
>> >
>> I think the distinction has become fairly general in practice --

Ergo,

>> Passphrases assumed to be used in indirect authentication like public
>> key,

vs.

>> and passwords being used when directly authenticating.

Also,

>> And (good) passwords being strings like "m0n<e4UR at Tom"

vs.

>> and (good)
>> passphrases being more like "I have a monk{y for your atom, Kite."
>>
>> Neither of which is any good, for either me or you, now that I have posted this.
>>
>> Which one would you find easier to remember?

And memorability is part of the distinction.

> But how does it help?  I can just as easily have a long password, like
> "I have a monk{y for your atom, Kite."

Many systems still only allow four digits of what is essentially a
passcode token of the password variety. If you use an ATM regularly,
you know what I mean.

Why they haven't shifted to on-screen keyboards is beyond me, but
scrambling the on-screen keypad does help, a little.

Many on-line systems (some banks included) still allow only eight
characters of alphanumeric for passwords, and rely on denial to cover
for the weakness of the passcode token. Which means that if you don't
use a weak token, or if you don't write it down, or if you don't visit
the ATM at least once a week, you end up visiting the cashier a couple
of times a year to reset your PIN or password that you forgot.

> If I use passwords then I have to enter them every time I log in, if I
> use a passphrase then I *might* have to type it in every time I log
> in, it depends on how I'm using the system.

Well, a passphrase that you type in every time is essentially a long
password, which is still better than a short password, for some
meanings of long and short and for some contents of the tokens.

> If the passphrase is kept
> in ssh-agent or something similar then that's a *big* security hole
> (for me anyway) as it means that anyone getting to my unattended
> laptop will have access to remote systems.

So, you are not using one part of the systems that provide
"passphrases", and that part is basically the part where the
distinction is made.

However, I wonder whether you are focusing, in your decision, on the
question of whether you can trust ssh-agent (or similar), or whether
you are focusing on the conundrum of where you would store the key(s)
to the database(s) of cryptographic tokens, which database seems to be
an implicit part of the concept of passphrases.

As a possible solution to that, I used to use a simple rotation cipher
that I could do in my head on the keys I wrote down in my physical
notebook. (I should blog about that, I suppose.)

> Forcing password use on
> those remote systems means that this doesn't happen.

Which may be appropriate for certain classes of users and certain
classes of use.

-- 
Joel Rees

I'm imagining I'm a novelist:
http://reiisi.blogspot.jp/p/novels-i-am-writing.html