I've been thinking about the security of my system(s) a bit more over the past week or so. I use ssh from home to work, from work to home and to connect from both home and work to a couple of remote systems where I have Linux shell login accounts.
All the accepted 'rules' about security when using ssh say that one shouldn't use a 'no passphrase' key to get passwordless login, instead one should use a key phrase and ssh-keygen. From where I'm looking a 'key phrase' is exactly the same (from a user point of view) as a password - it's a (supposedly) difficult to guess string that I have to enter in order to log on to a remote system. The *only* advantage that using ssh-keygen gives you is that you (may) only have to type the passphrase in once for several logins. Since I tend to only login to remote systems once per session using ssh-keygen is (for me) no different from using a normal password.
So, I've been looking around at other things that relate to this. One possibility is HostBasedAuthentication where it's the machine rather than the user that has the RSA/DSA keys. Doing this allows the keys to be readable by root only which adds a little extra protection but not a great deal (one site even says HostBasedAuthentication is less secure than a 'no passphrase' personal key). It also requires quite a lot more fiddling around with .shosts files and such and, of course, requires root access. So I have decided HostBasedAuthentication doesn't really do much for me.
Another utility I have discovered is keychain, this is a sort of super ssh-agent which provides ssh-agent type facilities for a whole system which only needs to be renewed (i.e. the passphrase re-entered) when the system is rebooted. However, on thinking about it, I don't really see how this offers any better security than a 'no passphrase' personal key. Anyone who could steal your 'no passphrase' key could also use the running keychain, I really don't see what use it is at all, it just makes things more complicated.
So finally I'm back at staying where I am, using a 'no passphrase' key to provide passwordless logins.
One thing that would improve my security is to restrict ssh access without a password to specific IP addresses, I wonder if it's possible to do this as well as allowing password based access from other systems.
One thing that would improve my security is to restrict ssh access without a password to specific IP addresses, I wonder if it's possible to do this as well as allowing password based access from other systems.
Yes, of course it is, you just add only the systems from which you want to allow passwordless acces to the authorized_keys file.
Chris Green chris@areti.co.uk write:
So, I've been looking around at other things that relate to this. One possibility is HostBasedAuthentication where it's the machine rather than the user that has the RSA/DSA keys. Doing this allows the keys to be readable by root only which adds a little extra protection but not a great deal (one site even says HostBasedAuthentication is less secure than a 'no passphrase' personal key).
To get the host private key material you need to be root. If you can do that you can get any passphraseless user private keys too. So I'm not sure what sort of argument would support that sort of claim.
On Richard's postings to the list in kmail, I notice that a picture appears in the fancy header of the message. Created by this message header
X-Face: h[Hh-7npe<<b4/eW[]sat,I3O`t8A`(ej.H!F4\8|;ih)`7{@:A~/j1}gTt4e7-n*F?.Rl^ F<{jehn7.KrO{!7=:(@J~]<.[{>v9!1<qZY,{EJxg6?Er4Y7Ng2\Ft>Z&W?r\c.!4DXH5PWpga "ha +r0NzP?vnz:e/knOY)PI-
Hodoyoudothat ?
Wayne Stallwood ALUGlist@digimatic.plus.com writes:
On Richard's postings to the list in kmail, I notice that a picture appears in the fancy header of the message. Created by this message header
X-Face: h[Hh-7npe<<b4/eW[]sat,I3O`t8A`(ej.H!F4\8|;ih)`7{@:A~/j1}gTt4e7-n*F?.Rl^ F<{jehn7.KrO{!7=:(@J~]<.[{>v9!1<qZY,{EJxg6?Er4Y7Ng2\Ft>Z&W?r\c.!4DXH5PWpga "ha +r0NzP?vnz:e/knOY)PI-
Hodoyoudothat ?
I used compface, but I see that there is a web form that will do it:
On Thursday 09 June 2005 12:04, Richard Kettlewell wrote:
Wayne Stallwood ALUGlist@digimatic.plus.com writes:
On Richard's postings to the list in kmail, I notice that a picture appears in the fancy header of the message. Created by this message header
X-Face: h[Hh-7npe<<b4/eW[]sat,I3O`t8A`(ej.H!F4\8|;ih)`7{@:A~/j1}gTt4e7-n*F?.Rl^ F<{jehn7.KrO{!7=:(@J~]<.[{>v9!1<qZY,{EJxg6?Er4Y7Ng2\Ft>Z&W?r\c.!4DXH5P Wpga "ha +r0NzP?vnz:e/knOY)PI-
Hodoyoudothat ?
I used compface, but I see that there is a web form that will do it:
K-Mail will do it for you automatically:-
Settings -> Identities -> Modify -> Picture
Follow instructions.
Matt
-
Chris Green -
Matt Parker -
Richard Kettlewell -
Ten -
Wayne Stallwood