I've been thinking about the security of my system(s) a bit more over the past week or so. I use ssh from home to work, from work to home and to connect from both home and work to a couple of remote systems where I have Linux shell login accounts. All the accepted 'rules' about security when using ssh say that one shouldn't use a 'no passphrase' key to get passwordless login, instead one should use a key phrase and ssh-keygen. From where I'm looking a 'key phrase' is exactly the same (from a user point of view) as a password - it's a (supposedly) difficult to guess string that I have to enter in order to log on to a remote system. The *only* advantage that using ssh-keygen gives you is that you (may) only have to type the passphrase in once for several logins. Since I tend to only login to remote systems once per session using ssh-keygen is (for me) no different from using a normal password. So, I've been looking around at other things that relate to this. One possibility is HostBasedAuthentication where it's the machine rather than the user that has the RSA/DSA keys. Doing this allows the keys to be readable by root only which adds a little extra protection but not a great deal (one site even says HostBasedAuthentication is less secure than a 'no passphrase' personal key). It also requires quite a lot more fiddling around with .shosts files and such and, of course, requires root access. So I have decided HostBasedAuthentication doesn't really do much for me. Another utility I have discovered is keychain, this is a sort of super ssh-agent which provides ssh-agent type facilities for a whole system which only needs to be renewed (i.e. the passphrase re-entered) when the system is rebooted. However, on thinking about it, I don't really see how this offers any better security than a 'no passphrase' personal key. Anyone who could steal your 'no passphrase' key could also use the running keychain, I really don't see what use it is at all, it just makes things more complicated. So finally I'm back at staying where I am, using a 'no passphrase' key to provide passwordless logins. One thing that would improve my security is to restrict ssh access without a password to specific IP addresses, I wonder if it's possible to do this as well as allowing password based access from other systems. -- Chris Green (chris@areti.co.uk) "Never ascribe to malice that which can be explained by incompetence."