similar to: Security of ssh across a LAN, public key versus password

There is room for differences of opinion here. other factors do you reuse the password elsewhere (or use a passwork close enough, most people tend to use a static prefix and have a cycling value at the end) do people use a password manager do you always start from the same system? or do you use different systems at different times. If you use different systems, how do you manage your certs

On Mon, Oct 21, 2024 at 12:02:00PM -0700, David Lang via openssh-unix-dev wrote: > There is room for differences of opinion here. > :-) > other factors > do you reuse the password elsewhere (or use a passwork close enough, most people > tend to use a static prefix and have a cycling value at the end) > I use several password 'bases' (and try and invent new ones every

On Mon, Oct 21, 2024 at 08:50:44PM +0000, Tim Rice via openssh-unix-dev wrote: > Hi Chris, > > > What do you mean by "keypair authentication"? > > That's the authentication you use when you have ssh-keygen provide you > with a private key and a public key, and distribute the public key to all > the different authorized_keys files. > But he says not to

Hi Chris, > There's a couple of headless systems on the LAN where login security > is important to me and I've been thinking about the relative merits of > password and public-key authentication. > <snip> At home, I have a smaller LAN than you, but at $DAYJOB I work with much bigger fleets. Whether at home or work, everything is Linux-based, and OpenSSH is the primary

Hi David, > hmm, what I'm finding doesn't seem to use the FIDO challenge/response to the > server, instead it looks like a public/private key that's unlocked with a touch, > possibly storing the private key on the hardware dongle (but it seems like > there's still a key you need to put on the client system) > > Quoting from the yubikey website: > OpenSSH

On 21.10.24 20:26, Chris Green wrote: > I have a small LAN at home with nine or ten systems on it running > various varieties of Linux. I 'do things' on the LAN either from my > dekstop machine or from my laptop, both run Xubuntu 24.04 at the > moment. > > There's a couple of headless systems on the LAN where login security > is important to me and I've been

Hi Chris, > > > What do you mean by "keypair authentication"? > > > > That's the authentication you use when you have ssh-keygen provide you > > with a private key and a public key, and distribute the public key to all > > the different authorized_keys files. > > But he says not to use passphrases, I'm confused. I'm not sure which

Hi, Markus has just committed a few changes that add support for the Ed25519 signature algorithm[1] as a new private key type. This algorithm has a few benefits: it is fast (comparable to ECDSA and RSA), offers 256-bit security and doesn't require random numbers to generate a signature. This last property means it completely avoids (EC-)DSA's horrible, private-key leaking problem when fed

Hi Chris, > What do you mean by "keypair authentication"? That's the authentication you use when you have ssh-keygen provide you with a private key and a public key, and distribute the public key to all the different authorized_keys files. ~ Tim

OK, I think I have realised what has been confusing me (and, maybe you, in the plural). I have been looking at this security question with a sort of 'tunnel vision', I'm concerned with login security of remote systems **when viewed from my desktop**. For this specific case, i.e. when someone is sitting at my desk, or has my laptop in front of them, there is little to choose between

On 2024-10-22 09:14, Chris Green wrote: > OK, I think I have realised what has been confusing me (and, maybe > you, in the plural). > > I have been looking at this security question with a sort of 'tunnel > vision', I'm concerned with login security of remote systems **when > viewed from my desktop**. For this specific case, i.e. when someone > is sitting at my

Hi, all. So, in reviewing my OpenSSH keypairs and evaluating the size my RSA keys should be, i realized that, if i update my 2048-bit keypairs to 4096 bits, it really doesn't matter that much, because they're still only encrypted with 3DES, which provides an effective 112 bits of symmetric encryption strength: $ head -4 ~/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type:

Stuart Henderson wrote: >> This is why I push for challenge/response tokens, not simply >> cert authentication, and really wish that FIDO (such as yubikey) >> was an option, but the discussions I've seen about suporting >> that have not been encouraging. > > hmm? That works pretty well in OpenSSH. hmm, what I'm finding doesn't seem to use the FIDO

On Tue, Jan 02, 2024 at 03:52:29PM +1100, Damien Miller wrote: > On Mon, 1 Jan 2024, Christian Weisgerber wrote: > > > Chris Green: > > > > > Setting SSH_ASKPASS_REQUIRE=never in the environment on my xubuntu > > > 23.10 system doesn't seem to work. I have set it:- > > > > > > chris$ env | grep SSH > > >

G'day, In our infrastructure we're trying to be more diligent about switching to sk keys (and/or certs backed by sk keys.) However, there are some services like Gerrit and Jenkins which are written in java and I guess they will never support sk keys, or at least, it seems like it won't happen any time soon. For such services, typical practices at the moment include putting

I'm confused by the following:- rcfg at q957$ ssh-add -l 256 SHA256:gl9l9m/xnYpL9P7WkL60L+FcJ0+r2c5Ci770p9VEC08 chris at q957 (ED25519) 256 SHA256:4XDYbepg8zK43pofpQ8IGxMAXkej298a0XZHWjJTIQQ chris at q957 (ED25519) 3072 SHA256:yeQw8xe9rrxHKLqICoXNwReZKKV9HI1UeTCf95QywXM chris at t470 (RSA) 256 SHA256:dluRgJeTqJ32jKxRrSdjr/cibbIOZQeq8Inlna3+Sdw chris at q957 (ED25519)

according to the openssh mailing list page, this is the spot to report/discuss bugs and i have a potential one. on the other hand, it is probably something i am not doing correctly. the system is red hat linux 6.2 (yuk) running the openssh rpm i grabbed off of the portable openssh site listing, with sshd version OpenSSH_2.9p2 i have it installed via rpm and when i go to launch sshd it gives me

https://bugzilla.mindrot.org/show_bug.cgi?id=3572 Bug ID: 3572 Summary: ssh-agent refused operation when using FIDO2 with -O verify-required Product: Portable OpenSSH Version: 9.3p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component:

On 2024/10/21 12:02, David Lang via openssh-unix-dev wrote: > A cert is a single factor, so is a password. Cert authentication > is only two factor if you trust that the password is not stored > along with the cert (which is on the untrusted client) You can tell sshd to require *both* password and public key. > This is why I push for challenge/response tokens, not simply > cert

Hi, OpenSSH 8.2p1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a feature release. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via git using the instructions at