comparing SSH key and passphrase auth vs. an SSH key *with* a passphrase ...
Matthew Seaman
matthew at FreeBSD.org
Wed Sep 17 06:26:00 UTC 2014
On 15/09/2014 20:09, John Case wrote:
>> Key based auth is definitely the better choice out of those two.
> However, just out of curiousity - let's pretend that sshd *did* allow
> you to use both an SSH key and a UNIX password at the same time ...
> would that be more or less secure than using an SSH key with a built-in
> passphrase ?
That's just like sprinkling sugar on top of honey: it doesn't really
achieve anything. You've got maybe 2048 bits of SSH key and you want to
add of the order of a hundred bits of password on top of that? It would
be better to just use a bigger SSH key.
If you are so concerned about security and you need something more than
what ssh-key based auth can provide, then look into one-time password
style things -- which includes all sorts of hardware tokens -- or
kerberos / gssapi setups -- which use cryptographic methods vaguely
similar to SSH keys, but store the sensitive keying material in a way
that makes it much less likely to be compromised.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 971 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20140917/c0ecd2aa/attachment.sig>
More information about the freebsd-questions
mailing list