On 20/12/2024 16:21, Chris Green wrote:
In fact my feeling is that password is slightly better because if you are using ssh-agent as you may well leave your system for short periods without logging off and then an intruder will be able to log in to all those remote systems for which ssh-agent has saved your key(s). (Physical security again!) This last is why I have my ssh-agent set to expire keys after a few minutes.
I have not tried it, but my expectation is that it is possible to use key-based authentication without an agent. If it is true then a key usually has more entropy than a password (especially one easy to type), so no advantages of the latter.
From my point of view, if an "intruder" may do something with a system during a short leave period then passwords should be considered as compromised and expiration period configured in ssh-agent does not matter.
Instead of expiration timeout I would consider removing keys from ssh-agent on screen locker activation (explicitly by a shortcut or due to some idle time). Perhaps e.g. keepassxc as a ssh-agent can do it out of the box. For openssh is should be scriptable as well.
I consider not adding to or removing a key from ssh-agent as a protection against my unintentional action.
Tomas, I am sorry that I failed to express it clear enough, believing that the quote is enough for the context. From my point of view, ssh-agent allows to reduce number of passwords that are in the active pool. A pass phrase to a key gives access to multiple hosts. On the other hand, I consider adding password to a password manager as a kind of writing them down. Logins for remote systems must be kept somewhere anyway, you just do not need to type them frequently.
Jeffrey, a hardware token is definitely is the next step in protection of ssh private keys and second factor for authentication. Of course, with some specific actions to not lost access in the case of token failure.
As to client certificates, I may easily confuse everything, but from comments in various discussions I had impression that at least in some Europe (maybe Baltic and/or Nordic) countries people have to use smart cards to access some services provided by their states. Some of them arrange authentication on their own servers using the same client certificates.
