On Thu, May 19, 2005 at 10:25:53PM +0100, Adam Bower wrote:
On Thu, May 19, 2005 at 04:34:04PM +0100, Chris Green wrote:
I know this creates some security holes but I'm not at all clear what they are really, can anyone elucidate? I realise that anyone with
login. Is this the only risk or is the encryption inherently weaker if I didn't enter a key?
The encryption will be the same, the risk is that you have to trust everyone with access to those machines won't abuse your keys. All my
Which I do basically. As I said there is *much* more important information (both as regards confidentiality and the sheer time needed to recreate it) on the machines which I connect from than there is on the machines I connect to. I.e. the 'un passphrased' keys are on my home linux box and my work desktop Solaris machine. If anyone gets access to either of those machines they can do far more damage than they could if they get access to either of my remote shell login accounts.
keys have a passphrase just because, it isn't really any harder to type it every so often. If you find that you are having to type a passphrase often then maybe you want to take a look at ssh-agent which sort of caches keys after you unlock them so you don't have to keep typing the passphrase.
It's more the automation aspect than the hassle of typing in the pass phrase. I could live with typing the passphrase in once per day at work, at home it would be messier beause I log in and out of the Linux box quite frequently.
Having said that typing the passphrase in on my work machine every morning and using ssh-agent hardly adds anything to security does it! The machine is left on all day and I don't log out when I leave my desk, how does using ssh-agent help in the slightest?
Given that having logged on to my work machine when I get to work I make a connection to the remote machines which stays up all day until I go home at the end of the day I don't think that a passphrase protected key is going to be any more secure than one that isn't passphrase protected.
(I've said the same thing twice there, never mind)
Read this article for more explanation on ssh-agent (and the linked articles, I find that the items Brian Hatch writes are very informative without getting to bogged down in details)
I'll read that anyway, the more one knows the better, thanks.