comparing SSH key and passphrase auth vs. an SSH key *with* a passphrase ...

Matthew Seaman matthew at FreeBSD.org
Fri Sep 12 06:16:55 UTC 2014


On 11/09/2014 23:04, John Case wrote:
> What's the difference between using a UNIX password combined with an SSH
> key (if that actually worked, which it doesn't) and using an SSH key
> with a passphrase attached ?  Is one of these better than the other ? 
> Are they the same ?

With ssh key based auth, an attacker needs to obtain both your ssh
private key and the passphrase used to decrypt it.  For password based
auth, all they need is the password.  Key based auth is definitely the
better choice out of those two.

When using ssh key based auth, it is vitally important to only store
your private key on a secure system: typically this would be your
desktop or personal laptop -- which may cause some cognitive dissonance
with the ideal of 'secured.'  Do use disk encryption on the machine
where you store your keys.  Alternatively, keep your keys on an
encrypted USB stick.

Do use ssh-agent(8) or gpg-agent(8) (which I prefer) and the
'ForwardAgent' (-A) option if you need to hop through one machine to
reach another.   Do not copy your private key to the 1st machine in that
situation.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 971 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20140912/726ed748/attachment.sig>


More information about the freebsd-questions mailing list