comparing SSH key and passphrase auth vs. an SSH key *with* a passphrase ...

Michael Sierchio kudzu at
Mon Sep 15 20:27:50 UTC 2014

On Mon, Sep 15, 2014 at 12:13 PM, Charles Swiger <cswiger at> wrote:

> On Sep 15, 2014, at 12:07 PM, John Case <case at SDF.ORG> wrote:

>> Ok, thanks - but SSH key+passphrase is still much better than just plain old password, yes ?
> Yes, it's better.  However, the default storage that SSH uses for private keys with a passphrase isn't as strong as it could be.

Agreed. Though there are different kinds of threats. Disabling
password auth means no brute force password attempt will work. If you
do as I do and store your encrypted SSH key on a secure (assume for
the moment that's true :-) USB vault, and add it to an ssh-agent on
the local host, and enable agent forwarding - we've come close to SSO
with reasonable security.

Newer versions of OpenSSH support pam-google-authenticator, which is a
very nice way of accomplishing multifactor authentication. I tend to
use this everywhere. Central management is left as an exercise for the
reader (pam_url on Linux is a possible starting point).

- M

More information about the freebsd-questions mailing list