Chris Green chris@areti.co.uk writes:
I currently use ssh for various logins from home and from work.
I have set up the logins so that they work without me entering a password or key phrase at all, i.e. I *think* when asked for a key to generate the encrypted string used for authorisation I entered nothing.
I know this creates some security holes but I'm not at all clear what they are really, can anyone elucidate? I realise that anyone with access to my work machine or my home machine will be able to login to these remote systems without knowing the password but that's not a big problem really, there is far more important and sensitive information on my desktop machines than there is on the places where I remotely login. Is this the only risk or is the encryption inherently weaker if I didn't enter a key?
Something that nobody's yet mentioned (I think) that seems worth pointing out is that even with a passphrase-protected private key, an attacker who can run as your UID[1] can arrange to capture the passphrase next time you use it anyway.
That doesn't make passphrases useless, for instance they still defend against an attacker who can read your files but not run code under your UID.
[1] i.e. they don't even necessarily have to take control of the entire machine