<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000'>Presumably you're using ssh-agent & ssh-add, not just creating keys without passphrases. Other than for some very limited accounts designed for cron tasks, I can't see a good reason for having ssh keys without a good passphrase. Then, even if your box gets compromised the keys can't be used without the passphrase (but you don't have to type it for each individual ssh command either!) I used ssh for years before bothering to learn how to set up ssh-agent/ssh-add. It's definitely made life easier. Since you don't have to type it as often, you can make a longer, more complex passphrase. I'd hate to type 16 characters for every ssh/scp I have to do!<div><br></div><div>Of course, once you have access to the public and private keys, the passphrase could be brute forced without connecting to the remote system, correct? In that sense, a passphrase is less secure than a password you use to connect to a remote system, as the remote system can detect incorrect guesses and lock the account. Does it make sense to keep your public keys separate from and not easily associated with your private keys, just in case your box does need get hacked? Do you need the public key to brute force the passphrase on a private key?<div><br></div><div>Congrats, Charles!</div><div><br></div><div>Scott<br><br><hr id="zwchr"><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"James Sumners" <james.sumners@gmail.com><br><b>To: </b>"Atlanta Linux Enthusiasts" <ale@ale.org><br><b>Sent: </b>Thursday, December 27, 2012 2:27:27 PM<br><b>Subject: </b>Re: [ale] Holy cow! Published in Slashdot!!<br><br>Hell with that. I create a new key for each system and add an entry to my ~/.ssh/config to use it. Thus, I use a unique key for each system and forget all about using a password to connect. <span></span><br><br>On Thursday, December 27, 2012, Michael B. Trausch wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 12/27/2012 09:18 AM, Charles Shapiro wrote:<br>
> A lifelong ambition is fulfilled... I make Slashdot's front page (<br>
> <a href="http://yro.slashdot.org/story/12/12/26/1459248/lax-ssh-key-management-a-big-problem" target="_blank">http://yro.slashdot.org/story/12/12/26/1459248/lax-ssh-key-management-a-big-problem</a><br>
> ) !!<br>
><br>
> charlesTheLurker is me... I reckon it's time to update the ol' resume.<br>
<br>
Awesome! :-)<br>
<br>
Some of the comments on that article from people that claim to be in the<br>
field are a bit disturbing, though...<br>
<br>
Brings up an interesting point. Moving away from passwords to cached<br>
private keys is something that most people _do_ see as lesser security,<br>
despite the fact that when properly managed it provides far better<br>
security. I wonder how it is we're supposed to combat that problem.<br>
Education doesn't work; a lot of people's eyes glaze over if you try to<br>
explain to them how it provides superior security.<br>
<br>
--- Mike<br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a>Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote><br><br>-- <br>James Sumners<br><a href="http://james.roomfullofmirrors.com/" target="_blank">http://james.roomfullofmirrors.com/</a><br><br>"All governments suffer a recurring problem: Power attracts pathological personalities. It is not that power corrupts but that it is magnetic to the corruptible. Such people have a tendency to become drunk on violence, a condition to which they are quickly addicted."<br>
<br>Missionaria Protectiva, Text QIV (decto)<br>CH:D 59<br>
<br>_______________________________________________<br>Ale mailing list<br>Ale@ale.org<br>http://mail.ale.org/mailman/listinfo/ale<br>See JOBS, ANNOUNCE and SCHOOLS lists at<br>http://mail.ale.org/mailman/listinfo<br></div><br></div></div></div></body></html>