On Thu, Dec 17, 2009 at 01:20:20AM +0000, MJ Ray wrote:
Chris G cl@isbd.net asked:
What concerns me slightly is that it's all a total waste of time if it's only protected by my login password which I think, by default, it is. I.e. if I understand things right (and I'm not at all sure about this) when I log in to the X gui and enter my password then gnome-keyring (and/or seahorse) extracts my key[s] from somewhere and then when I ssh to other systems that key is used and I don't have to type it in. Have I got that anything like right?
Pretty much, but with ssh-agent (not sure about the others) you can remove keys or lock keys. Also, ssh keys are usually protected by their own passphrase and not your login password, but again I'm not sure about gnome-keyring or seahorse.
But then that's only like setting up a system where you need two passwords to get in, obviously more secure but that would be true anyway. I.e. to connect to system xxx from my home system the intruder needs to break into my home system and then needs *either* the passphrase to get at my keys *or* the password of the remote system.
If this *is* the way that it works how is it even remotely more secure than simply using password login on those systems I ssh into?
It's more secure because the authentication password never goes across the network - an attacker would need to break both the transport security *and* the private key that corresponds to the public key.
OK, so it's more secure against being compromised by any sort of man-in-the-middle attack, I can see that. However I don't really believe that my systems are likely to be attacked that way, I'm a thousand times more likely to be targetted by someone simply banging away at an ssh port.
Also, if one workstation is compromised, you can remove that one key and not need to change all passwords. You can also limit the features that can be accessed by a key-based login.
Not really my sort of scenario, there is only one 'workstation', my desktop machine. :-)
If not can someone clarify a bit for me, or, as I said, point me at some sort of overview document that explains things.
http://www.ibm.com/developerworks/linux/library/l-keyc.html and parts 2 and 3 maybe explains both publickey authentication and the keychain idea better than I can here.
Not quite what I was after, I want a *user* guide to tell me how to set it all up and get it working with gnome-keyring, seahorse or whatever. As it is all I can run seahorse and enter passwords and keys but I haven't a clue what it does with them, how I can get it to ask me at start up (or use my login password) or whatever. I've hunted around for HowTos and FAQs but they just repeat similar stuff to what you have pointed me at above. I know enough (I think) about the mechanics of Public Key authentication, I also know how to set up ssh and sshd pretty well for command line use.
What I don't know, as I said, is what seahorse et al add to what I already do. I know that gnome-keyring is an ssh-agent replacement (at least I think it is) but I can't find *anything* that tells me how to use it, how it asks me for passphrases etc. or how it integrates with seahorse.
Hope that helps,
Yes, thanks for continuing to humour me! :-)