Am Sa, den 09.07.2005 schrieb Michael Yep um 1:15: > Ok, just to make sure I understand, basically PublicKey auth still uses > a password, Not a password, a passphrase. For example see http://www.cs.utah.edu/support/faq/faq-ssh.html "A passphrase is similar to a password, except it can be a phrase with a series of words, punctuation, numbers, whitespace, or any string of characters you want. Good passphrases are 10-30 characters long, are not simple sentences or otherwise easily guessable (English prose has only 1-2 bits of entropy per character, and provides very bad passphrases), and contain a mix of upper and lowercase letters, numbers, and non-alphanumeric characters." http://sial.org/howto/openssh/publickey-auth/ "Do not use your account password, nor an empty passphrase. The password should be at least 16 characters long, and not a simple sentence. One choice would be several lines to a song or poem, interspersed with punctuation and other non-letter characters. The ssh-agent setup notes below will reduce the number of times this passphrase will need to be used, so using a long passphrase is encouraged." > but it is better because you need 2 things, what you have (the > certificate), and what you know (the password) Correct. If someone can get your personal key he could simply do pubkey auth to the target system when the key is not protected with a passphrase. A key protected by a passphrase too needs the knowledge of that passphrase. If you choose a well one (i.e. not just the name of your wife or your dog and not something like "I love Linux") then brute forcing the passphrase takes ages even for powerful machines. > Michael Yep And to avoid the need to always enter the passphrase each time you login using pubkey, there is the ssh-agent. "man ssh-agent" is really informative. On top of ssh-agent I recommend the tool keychain, to be able to use your passphrase protected pubkey by cronjobs. Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 01:53:24 up 13 days, 8:45, load average: 0.15, 0.30, 0.33
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
