Security of ssh across a LAN, public key versus password

[openssh at tr.id.au]

Hi Chris,

> > > What do you mean by "keypair authentication"?
> > 
> > That's the authentication you use when you have ssh-keygen provide you
> > with a private key and a public key, and distribute the public key to all
> > the different authorized_keys files.
> 
> But he says not to use passphrases, I'm confused.

I'm not sure which "he" you mean here.

A possible confusion is that there are two ways the term passphrase can be used when it comes to OpenSSH:

* Passphrase authentication, where you log into a machine and the sshd on the other end challenges you to enter a passphrase, usually matching your remote account's password.
* Encrypting your private key with a passphrase, which is what happens when you enter a passphrase while using ssh-keygen or ssh-add.

When you enter a passphrase at the ssh-keygen or ssh-add prompt, this isn't authentication. It's encryption: the private key has been encrypted with a passphrase, and you enter the passphrase to unlock it, which needs to be done before the key can be used as part of keypair authentication.

This is different to *passphrase authentication*, in which you have not distributed your public key to authorized_keys files on the remote nodes, and instead expect the remote to challenge you.

To revisit some of what I touched on earlier, to make these distinctions clearer:

* Never use passphrase *authentication*, instead use keypairs, always.
* Do consider passphrase *encryption* of your private key, as one possible way of keeping it secure, in case of unauthorized physical access to the local storage.

Does that help?

~ Tim