Displaying 20 results from an estimated 20000 matches similar to: "Security of ssh across a LAN, public key versus password"
2024 Oct 21
2
Security of ssh across a LAN, public key versus password
There is room for differences of opinion here.
other factors
do you reuse the password elsewhere (or use a passwork close enough, most people
tend to use a static prefix and have a cycling value at the end)
do people use a password manager
do you always start from the same system? or do you use different systems at
different times. If you use different systems, how do you manage your certs
2024 Oct 21
1
Security of ssh across a LAN, public key versus password
On Mon, Oct 21, 2024 at 12:02:00PM -0700, David Lang via openssh-unix-dev wrote:
> There is room for differences of opinion here.
>
:-)
> other factors
> do you reuse the password elsewhere (or use a passwork close enough, most people
> tend to use a static prefix and have a cycling value at the end)
>
I use several password 'bases' (and try and invent new ones every
2024 Oct 21
1
Security of ssh across a LAN, public key versus password
On Mon, Oct 21, 2024 at 08:50:44PM +0000, Tim Rice via openssh-unix-dev wrote:
> Hi Chris,
>
> > What do you mean by "keypair authentication"?
>
> That's the authentication you use when you have ssh-keygen provide you
> with a private key and a public key, and distribute the public key to all
> the different authorized_keys files.
>
But he says not to
2024 Oct 21
1
Security of ssh across a LAN, public key versus password
Hi Chris,
> There's a couple of headless systems on the LAN where login security
> is important to me and I've been thinking about the relative merits of
> password and public-key authentication.
> <snip>
At home, I have a smaller LAN than you, but at $DAYJOB I work with much bigger fleets. Whether at home or work, everything is Linux-based, and OpenSSH is the primary
2024 Oct 21
1
Security of ssh across a LAN, public key versus password
Hi David,
> hmm, what I'm finding doesn't seem to use the FIDO challenge/response to the
> server, instead it looks like a public/private key that's unlocked with a touch,
> possibly storing the private key on the hardware dongle (but it seems like
> there's still a key you need to put on the client system)
>
> Quoting from the yubikey website:
> OpenSSH
2024 Oct 23
1
Security of ssh across a LAN, public key versus password
On 21.10.24 20:26, Chris Green wrote:
> I have a small LAN at home with nine or ten systems on it running
> various varieties of Linux. I 'do things' on the LAN either from my
> dekstop machine or from my laptop, both run Xubuntu 24.04 at the
> moment.
>
> There's a couple of headless systems on the LAN where login security
> is important to me and I've been
2024 Oct 21
1
Security of ssh across a LAN, public key versus password
Hi Chris,
> > > What do you mean by "keypair authentication"?
> >
> > That's the authentication you use when you have ssh-keygen provide you
> > with a private key and a public key, and distribute the public key to all
> > the different authorized_keys files.
>
> But he says not to use passphrases, I'm confused.
I'm not sure which
2013 Dec 07
4
New key type (ed25519) and private key format
Hi,
Markus has just committed a few changes that add support for the Ed25519
signature algorithm[1] as a new private key type. This algorithm has a
few benefits: it is fast (comparable to ECDSA and RSA), offers 256-bit
security and doesn't require random numbers to generate a signature.
This last property means it completely avoids (EC-)DSA's horrible,
private-key leaking problem when fed
2024 Oct 21
1
Security of ssh across a LAN, public key versus password
Hi Chris,
> What do you mean by "keypair authentication"?
That's the authentication you use when you have ssh-keygen provide you with a private key and a public key, and distribute the public key to all the different authorized_keys files.
~ Tim
2024 Oct 22
2
Security of ssh across a LAN, public key versus password
OK, I think I have realised what has been confusing me (and, maybe
you, in the plural).
I have been looking at this security question with a sort of 'tunnel
vision', I'm concerned with login security of remote systems **when
viewed from my desktop**. For this specific case, i.e. when someone
is sitting at my desk, or has my laptop in front of them, there is
little to choose between
2024 Oct 22
1
Security of ssh across a LAN, public key versus password
On 2024-10-22 09:14, Chris Green wrote:
> OK, I think I have realised what has been confusing me (and, maybe
> you, in the plural).
>
> I have been looking at this security question with a sort of 'tunnel
> vision', I'm concerned with login security of remote systems **when
> viewed from my desktop**. For this specific case, i.e. when someone
> is sitting at my
2009 Jan 20
1
OpenSSH private key encryption: time for AES?
Hi, all.
So, in reviewing my OpenSSH keypairs and evaluating the size my RSA keys
should be, i realized that, if i update my 2048-bit keypairs to 4096
bits, it really doesn't matter that much, because they're still
only encrypted with 3DES, which provides an effective 112 bits of
symmetric encryption strength:
$ head -4 ~/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type:
2024 Oct 21
2
Security of ssh across a LAN, public key versus password
Stuart Henderson wrote:
>> This is why I push for challenge/response tokens, not simply
>> cert authentication, and really wish that FIDO (such as yubikey)
>> was an option, but the discussions I've seen about suporting
>> that have not been encouraging.
>
> hmm? That works pretty well in OpenSSH.
hmm, what I'm finding doesn't seem to use the FIDO
2024 Jan 02
2
How to get "Enter passphrase" on command line rather than GUI pop-up?
On Tue, Jan 02, 2024 at 03:52:29PM +1100, Damien Miller wrote:
> On Mon, 1 Jan 2024, Christian Weisgerber wrote:
>
> > Chris Green:
> >
> > > Setting SSH_ASKPASS_REQUIRE=never in the environment on my xubuntu
> > > 23.10 system doesn't seem to work. I have set it:-
> > >
> > > chris$ env | grep SSH
> > >
2024 Mar 08
3
PrivateKeyCommand config idea
G'day,
In our infrastructure we're trying to be more diligent about switching to sk keys (and/or certs backed by sk keys.) However, there are some services like Gerrit and Jenkins which are written in java and I guess they will never support sk keys, or at least, it seems like it won't happen any time soon.
For such services, typical practices at the moment include putting
2024 Dec 05
1
Better reporting for signature algorithm mismatch?
On 04.12.24 19:47, Brian Candler wrote:
> debug1: Offering public key: /Users/brian/.ssh/id_rsa RSA [...]
> debug1: send_pubkey_test: no mutual signature algorithm <<<< *THIS*
>
> I wonder if there could there be some way to highlight the "no mutual
> signature algorithm" message more prominently in normal operation?
Wouldn't the extra output, even in
2024 Oct 18
2
Confusion using "ssh-add -D" and then "ssh-add -l"
I'm confused by the following:-
rcfg at q957$ ssh-add -l
256 SHA256:gl9l9m/xnYpL9P7WkL60L+FcJ0+r2c5Ci770p9VEC08 chris at q957 (ED25519)
256 SHA256:4XDYbepg8zK43pofpQ8IGxMAXkej298a0XZHWjJTIQQ chris at q957 (ED25519)
3072 SHA256:yeQw8xe9rrxHKLqICoXNwReZKKV9HI1UeTCf95QywXM chris at t470 (RSA)
256 SHA256:dluRgJeTqJ32jKxRrSdjr/cibbIOZQeq8Inlna3+Sdw chris at q957 (ED25519)
2001 Sep 25
2
question
according to the openssh mailing list page, this is the spot to
report/discuss bugs and i have a potential one. on the other hand, it is
probably something i am not doing correctly.
the system is red hat linux 6.2 (yuk) running the openssh rpm i grabbed off
of the portable openssh site listing, with sshd version OpenSSH_2.9p2
i have it installed via rpm and when i go to launch sshd it gives me
2023 May 14
18
[Bug 3572] New: ssh-agent refused operation when using FIDO2 with -O verify-required
https://bugzilla.mindrot.org/show_bug.cgi?id=3572
Bug ID: 3572
Summary: ssh-agent refused operation when using FIDO2 with -O
verify-required
Product: Portable OpenSSH
Version: 9.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: minor
Priority: P5
Component:
2024 Oct 21
1
Security of ssh across a LAN, public key versus password
On 2024/10/21 12:02, David Lang via openssh-unix-dev wrote:
> A cert is a single factor, so is a password. Cert authentication
> is only two factor if you trust that the password is not stored
> along with the cert (which is on the untrusted client)
You can tell sshd to require *both* password and public key.
> This is why I push for challenge/response tokens, not simply
> cert