Chris G cl@isbd.net asked:
What concerns me slightly is that it's all a total waste of time if it's only protected by my login password which I think, by default, it is. I.e. if I understand things right (and I'm not at all sure about this) when I log in to the X gui and enter my password then gnome-keyring (and/or seahorse) extracts my key[s] from somewhere and then when I ssh to other systems that key is used and I don't have to type it in. Have I got that anything like right?
Pretty much, but with ssh-agent (not sure about the others) you can remove keys or lock keys. Also, ssh keys are usually protected by their own passphrase and not your login password, but again I'm not sure about gnome-keyring or seahorse.
If this *is* the way that it works how is it even remotely more secure than simply using password login on those systems I ssh into?
It's more secure because the authentication password never goes across the network - an attacker would need to break both the transport security *and* the private key that corresponds to the public key.
Also, if one workstation is compromised, you can remove that one key and not need to change all passwords. You can also limit the features that can be accessed by a key-based login.
If not can someone clarify a bit for me, or, as I said, point me at some sort of overview document that explains things.
http://www.ibm.com/developerworks/linux/library/l-keyc.html and parts 2 and 3 maybe explains both publickey authentication and the keychain idea better than I can here.
Hope that helps,