Chris Green
2024-Oct-21 21:04 UTC
Security of ssh across a LAN, public key versus password
On Mon, Oct 21, 2024 at 08:50:44PM +0000, Tim Rice via openssh-unix-dev wrote:> Hi Chris, > > > What do you mean by "keypair authentication"? > > That's the authentication you use when you have ssh-keygen provide you > with a private key and a public key, and distribute the public key to all > the different authorized_keys files. >But he says not to use passphrases, I'm confused. -- Chris Green
openssh at tr.id.au
2024-Oct-21 21:19 UTC
Security of ssh across a LAN, public key versus password
Hi Chris,> > > What do you mean by "keypair authentication"? > > > > That's the authentication you use when you have ssh-keygen provide you > > with a private key and a public key, and distribute the public key to all > > the different authorized_keys files. > > But he says not to use passphrases, I'm confused.I'm not sure which "he" you mean here. A possible confusion is that there are two ways the term passphrase can be used when it comes to OpenSSH: * Passphrase authentication, where you log into a machine and the sshd on the other end challenges you to enter a passphrase, usually matching your remote account's password. * Encrypting your private key with a passphrase, which is what happens when you enter a passphrase while using ssh-keygen or ssh-add. When you enter a passphrase at the ssh-keygen or ssh-add prompt, this isn't authentication. It's encryption: the private key has been encrypted with a passphrase, and you enter the passphrase to unlock it, which needs to be done before the key can be used as part of keypair authentication. This is different to *passphrase authentication*, in which you have not distributed your public key to authorized_keys files on the remote nodes, and instead expect the remote to challenge you. To revisit some of what I touched on earlier, to make these distinctions clearer: * Never use passphrase *authentication*, instead use keypairs, always. * Do consider passphrase *encryption* of your private key, as one possible way of keeping it secure, in case of unauthorized physical access to the local storage. Does that help? ~ Tim