On Mon, Feb 05, 2018 at 10:16:36AM +0000, Laurie Brown wrote:
On 04/02/18 22:28, Chris Green wrote:
On Sun, Feb 04, 2018 at 06:25:01PM +0000, steve-ALUG@hst.me.uk wrote:
On 04/02/18 12:42, Chris Green wrote:
However you store keys they are vulnerable, they are stored. My passwords are only in my head and on the desktop machine at home (in encrypted form of course). If someone gets physical access to the machine at home then neither keys nor passwords are going to make any difference at all.
A private key created with a password is not decrypted until you enter the password. Consequently they are at least as secure as using a password - probably more secure as you need to be able to access a machine with the key on it, and also know the password.
"... at least as secure as using a password.", yes, and?
Password-less key pairs and the judicious use of the sudoers file are perfectly valid and secure ways to perform the task(s) you describe.
ssh-add is also a valid way to deal with key pairs requiring a password where unattended tasks are to be performed.
Yes, I didn't say it wasn't possible to do with keys. I was just saying that for (some of) my ways of using ssh it's no less secure and easier to use passwords. (... and because it's easier it's more secure because you don't short-cut the security).
I use passphrase protected keys for quite of lot of ssh connections, I don't have an inherent dislike of them, but it's horses for courses.