SSH publickey auth

Mon Jul 11 20:04:06 UTC 2005

I am well acquainted with passwords and passphrases.  When I say 
password, it more means passphrase. 
For all my accounts I use a minimum of 10 digits, use the full 95 char 
character set, and generate it with a SHA1PRNG and ill change 1 or 2 
characters
I always use different passwords for every account and change them every 
30 - 44 days.  Now my dilemma is this:
I have high confidence in the standard linux logon, it is tested, and 
strong, but with PublicKey auth there is more code (easier for there to 
be a bug).
In addition if I *were* to lose my keys, private or both, perhaps 
someone could derive my password from a reverse cryptanalysis attack.  
Brute force attacks are tough, and thats as much as Id like to give an 
attacker, I don't want to give them more tools than they already have.  
We once thought MD5 was secure, and SHA1, but weaknesses are found, and 
computing power goes up.

Alexander Dalloz wrote:

>Am Sa, den 09.07.2005 schrieb Michael Yep um 1:15:
>
>  
>
>>Ok, just to make sure I understand, basically PublicKey auth still uses 
>>a password,
>>    
>>
>
>Not a password, a passphrase. For example see
>
>http://www.cs.utah.edu/support/faq/faq-ssh.html
>
>"A passphrase is similar to a password, except it can be a phrase with a
>series of words, punctuation, numbers, whitespace, or any string of
>characters you want. Good passphrases are 10-30 characters long, are not
>simple sentences or otherwise easily guessable (English prose has only
>1-2 bits of entropy per character, and provides very bad passphrases),
>and contain a mix of upper and lowercase letters, numbers, and
>non-alphanumeric characters."
>
>http://sial.org/howto/openssh/publickey-auth/
>
>"Do not use your account password, nor an empty passphrase. The password
>should be at least 16 characters long, and not a simple sentence. One
>choice would be several lines to a song or poem, interspersed with
>punctuation and other non-letter characters. The ssh-agent setup notes
>below will reduce the number of times this passphrase will need to be
>used, so using a long passphrase is encouraged."
>
>  
>
>>but it is better because you need 2 things, what you have (the 
>>certificate), and what you know (the password)
>>    
>>
>
>Correct. If someone can get your personal key he could simply do pubkey
>auth to the target system when the key is not protected with a
>passphrase. A key protected by a passphrase too needs the knowledge of
>that passphrase. If you choose a well one (i.e. not just the name of
>your wife or your dog and not something like "I love Linux") then brute
>forcing the passphrase takes ages even for powerful machines.
>
>  
>
>>Michael Yep
>>    
>>
>
>And to avoid the need to always enter the passphrase each time you login
>using pubkey, there is the ssh-agent. "man ssh-agent" is really
>informative. On top of ssh-agent I recommend the tool keychain, to be
>able to use your passphrase protected pubkey by cronjobs.
>
>Alexander
>
>
>  
>

-- 
Michael Yep
Development / Technical Operations
RemoteLink, Inc.
(630) 983-0072 x164 