I am well acquainted with passwords and passphrases. When I say
password, it more means passphrase.
For all my accounts I use a minimum of 10 digits, use the full 95 char
character set, and generate it with a SHA1PRNG and ill change 1 or 2
characters
I always use different passwords for every account and change them every
30 - 44 days. Now my dilemma is this:
I have high confidence in the standard linux logon, it is tested, and
strong, but with PublicKey auth there is more code (easier for there to
be a bug).
In addition if I *were* to lose my keys, private or both, perhaps
someone could derive my password from a reverse cryptanalysis attack.
Brute force attacks are tough, and thats as much as Id like to give an
attacker, I don't want to give them more tools than they already have.
We once thought MD5 was secure, and SHA1, but weaknesses are found, and
computing power goes up.
Alexander Dalloz wrote:
Am Sa, den 09.07.2005 schrieb Michael Yep um 1:15:
Ok, just to make sure I understand, basically PublicKey auth still uses
a password,
Not a password, a passphrase. For example see
http://www.cs.utah.edu/support/faq/faq-ssh.html
"A passphrase is similar to a password, except it can be a phrase with a
series of words, punctuation, numbers, whitespace, or any string of
characters you want. Good passphrases are 10-30 characters long, are not
simple sentences or otherwise easily guessable (English prose has only
1-2 bits of entropy per character, and provides very bad passphrases),
and contain a mix of upper and lowercase letters, numbers, and
non-alphanumeric characters."
http://sial.org/howto/openssh/publickey-auth/
"Do not use your account password, nor an empty passphrase. The password
should be at least 16 characters long, and not a simple sentence. One
choice would be several lines to a song or poem, interspersed with
punctuation and other non-letter characters. The ssh-agent setup notes
below will reduce the number of times this passphrase will need to be
used, so using a long passphrase is encouraged."
but it is better because you need 2 things, what you have (the
certificate), and what you know (the password)
Correct. If someone can get your personal key he could simply do pubkey
auth to the target system when the key is not protected with a
passphrase. A key protected by a passphrase too needs the knowledge of
that passphrase. If you choose a well one (i.e. not just the name of
your wife or your dog and not something like "I love Linux") then brute
forcing the passphrase takes ages even for powerful machines.
Michael Yep
And to avoid the need to always enter the passphrase each time you login
using pubkey, there is the ssh-agent. "man ssh-agent" is really
informative. On top of ssh-agent I recommend the tool keychain, to be
able to use your passphrase protected pubkey by cronjobs.
Alexander
--
Michael Yep
Development / Technical Operations
RemoteLink, Inc.
(630) 983-0072 x164
