Security of ssh across a LAN, public key versus password
Chris Green
cl at isbd.net
Tue Oct 22 05:26:21 AEDT 2024
I have a small LAN at home with nine or ten systems on it running
various varieties of Linux. I 'do things' on the LAN either from my
dekstop machine or from my laptop, both run Xubuntu 24.04 at the
moment.
There's a couple of headless systems on the LAN where login security
is important to me and I've been thinking about the relative merits of
password and public-key authentication.
Obviously public-key is more secure as regards the actual login
process but it seems to me that's not really where the vulnerabilities
are. If someone 'breaks in' (in the physical or computer sense) to my
desktop then how might they attack another system on the LAN? It's
not physically accessible to them (it's quite a big LAN, one system in
particular is in another building). So they can try and guess my
key's passphrase if I'm using public-key, or they can try and guess my
password if I'm using password.
It **is** possible to brute force a key passphrase, all the bits you
need are almost certainly to hand in ~/.ssh. However I don't think it's
possible to brute force a password on a remote system, each login will
take several seconds and you'll get thrown off after very few retries.
My public-key passphrases are going to be similar length and
complexity to my passwords, they have to be if I'm going to be able to
remember them. They are mostly 11 or more characters long with all
the 'good things' like special characters, mixed case, etc. Thus I
suppose they'll be difficult to guess (or brute force). However
password login can have the same, complex, password strings so I don't
see how using public-key helps and (as I said above) it seems slightly
more breakable.
It's also **much** more dificult to keep all those keys etc. well
organised. What has brought me to this question is the mixed
collection of RSA and ed25519 keys all over lots of systems getting
very difficult to keep under control, and thus error prone (=insecure).
If I went back to all passwords life would be so much easier!
So, is this right? It goes against a lot of advice one sees. Please,
if I'm talking rubbish please tell me! :-)
--
Chris Green
More information about the openssh-unix-dev
mailing list