Security of ssh across a LAN, public key versus password
openssh at tr.id.au
openssh at tr.id.au
Tue Oct 22 08:19:08 AEDT 2024
Hi Chris,
> > > What do you mean by "keypair authentication"?
> >
> > That's the authentication you use when you have ssh-keygen provide you
> > with a private key and a public key, and distribute the public key to all
> > the different authorized_keys files.
>
> But he says not to use passphrases, I'm confused.
I'm not sure which "he" you mean here.
A possible confusion is that there are two ways the term passphrase can be used when it comes to OpenSSH:
* Passphrase authentication, where you log into a machine and the sshd on the other end challenges you to enter a passphrase, usually matching your remote account's password.
* Encrypting your private key with a passphrase, which is what happens when you enter a passphrase while using ssh-keygen or ssh-add.
When you enter a passphrase at the ssh-keygen or ssh-add prompt, this isn't authentication. It's encryption: the private key has been encrypted with a passphrase, and you enter the passphrase to unlock it, which needs to be done before the key can be used as part of keypair authentication.
This is different to *passphrase authentication*, in which you have not distributed your public key to authorized_keys files on the remote nodes, and instead expect the remote to challenge you.
To revisit some of what I touched on earlier, to make these distinctions clearer:
* Never use passphrase *authentication*, instead use keypairs, always.
* Do consider passphrase *encryption* of your private key, as one possible way of keeping it secure, in case of unauthorized physical access to the local storage.
Does that help?
~ Tim
More information about the openssh-unix-dev
mailing list