to...@tuxteam.de wrote: > [-- text/plain, encoding quoted-printable, charset: utf-8, 24 lines --] > > On Fri, Dec 20, 2024 at 10:22:29AM +0700, Max Nikulin wrote: > > On 19/12/2024 15:56, Chris Green wrote: > > > Horses for courses, I enter login passwords/passphrases quite frequently > > > (lots of > > > different systems that I ssh to) long, unmemorable, passwords would be > > > useless. > > > > Generate a private key and add its public counterpart to > > ~/.ssh/authorized_keys on remote machines. Locally running ssh-agent allows > > to authenticate on remote machines without typing the pass phrase for the > > private key for each connection. It is more secure than passwords against > > brute force attacks. > > Definitely. I was thinking specifically about passwords: what they are, how > they work. But it's clear that (asymmetric) crypto keys are worlds ahead > of passwords in terms of security, convenience (agent forwarding, anyone?) > LDAP integration and all of that. Whenever I have the choice, a SSH key it > is. > WHY????
It depends very much on the way your connection might get attacked. A key based ssh connection is (as you say) much more secure against attacks directly on the remote server, but only if that remote server has password login disabled. Your key based login is quite irrelevant if there's actually a password that the intruder can guess. At the local end using a passphrase protected ssh key is no better than a password, both depend entirely on how easy the password or passphrase can be guessed. In fact my feeling is that password is slightly better because if you are using ssh-agent as you may well leave your system for short periods without logging off and then an intruder will be able to log in to all those remote systems for which ssh-agent has saved your key(s). (Physical security again!) This last is why I have my ssh-agent set to expire keys after a few minutes. -- Chris Green ·
