l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 20: Web Application Hacking: How to Make and Break Security on the Web
Next Installfest:
TBD
Latest News:
Oct. 10: LUGOD Installfests coming again soon
Page last updated:
2005 Jul 22 15:31

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] sshd_config and PasswordAuthentication
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] sshd_config and PasswordAuthentication



On Fri, Jul 22, 2005 at 12:02:41PM -0700, Karsten M. Self wrote:
> on Fri, Jul 22, 2005 at 10:01:32AM -0500, Jay Strauss (me@heyjay.com) wrote:
> > 
> > >No.
> > >
> > >The authentication is handled by SSH using the public/private keypair.
> > >The system password itself isn't involved in the authentication at all.
> > >
> > >It's possible to have users whose remote passwords are unknown or
> > >disabled by this method.  This is the case for a number of remote hosts
> > >I access regularly.
> > >
> > >
> > >Peace.
> > >
> > 
> > Karsten, I apologize, I didn't realize I hadn't responded.  Thanks for 
> > all the info.
> > 
> > I think you are talking about passwordless authentication, 
> 
> It's not "passwordless", which is a description of negation.  It is
> possible to set up accounts and SSH-keys without passwords or
> passphrases.  Naturally, this is highly insecure.

A small quibble: Using assymetric key cryptography without passphrases
is not necessarily insecure. If the private key is secure, then a
passphrase is not useful. A private key is not really harder to secure
than a passphrase is, and if the private key is accessible to someone,
chances are pretty good that the passphrase can be as well.

Also, use of a passphrase-encryption on a more-or-less publicly
available private key means that the "weakest link" in the security
chain will be the weaker of (1) the assymetric encryption algorithm and
(2) the symmetric encryption algorithm used to encrypt the private key
with the passphrase.

Of course, if the private key is truly private, then the passphrase does
no harm (other than the minor nuisance it presents to the owner), and
provides an extra level of protection in the case of *accidental*
compromise of the private key, for the paranoid (a generally good trait
to possess).

Nonetheless, it seems to me that calling the use of public-key
cryptography without passphrases "highly insecure" is a rather harsh
exaggeration.
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.