Security of ssh across a LAN, public key versus password
Stuart Longland VK4MSL
me at vk4msl.com
Tue Oct 22 21:25:08 AEDT 2024
On 22/10/24 04:26, Chris Green wrote:
> It's also **much** more dificult to keep all those keys etc. well
> organised. What has brought me to this question is the mixed
> collection of RSA and ed25519 keys all over lots of systems getting
> very difficult to keep under control, and thus error prone (=insecure).
> If I went back to all passwords life would be so much easier!
Life for me actually became a lot easier when I bought myself an
OpenPGP-enabled security token and learned to use the SSH agent support
built into GnuPG.
If I take the token with me when I go out, someone who breaks in does
not have access to my private key, because it's not stored on the computer.
If I forget to take the token with me, they get 3 guesses at correctly
entering the passphrase to unlock it before the device locks itself.
The only real vulnerability is if I leave it plugged-in and unlocked,
but then the moment they unplug the device or power off the host it's
plugged into: game over.
--
Stuart Longland (aka Redhatter, VK4MSL)
I haven't lost my mind...
...it's backed up on a tape somewhere.
More information about the openssh-unix-dev
mailing list