Re: ssh passphrase

To: debian-user@lists.debian.org
Subject: Re: ssh passphrase
From: Brian May <bam@debian.org>
Date: 13 Apr 2000 10:27:52 +1000
Message-id: <[🔎] 84bt3ealpz.fsf@snoopy.apana.org.au>
In-reply-to: jens.jorgensen@cmgisolutions.com's message of "12 Apr 00 14:56:03 GMT"
References: <[🔎] 00041215482320.29130@lyta> <[🔎] 38F48E83.9C56D20@cmgisolutions.com>

>>>>> "Jens" == Jens B Jorgensen <jens.jorgensen@cmgisolutions.com> writes:

    Jens> That's what ssh-agent is for. You run ssh-agent and it will
    Jens> output environment variable for a unix domain socket. Then
    Jens> you run ssh-add and type in your passphrase.  The ssh-agent
    Jens> caches your key and access is limited to your user
    Jens> (permissions on the unix socket). This is not secure enough
    Jens> for some of course.

I think if you don't trust your local computer, then you off to a bad
start anyway. ie anybody could modify your ssh, and capture your
password and private key.

IMHO, the biggest security risks of ssh are:

1. if you forward your ssh-agent to other computers (enabled by
default???), then you must also trust these computers. I personally
have ssh-agent forwarding turned off by default. 

2. the danger that somebody would steal you private key, and run a
off-line dictionary attack to try and guess your passphrase. Once this
is done, the intruder can access your remote accounts for as long as
the public key remains in place. Some people don't consider this an
issue, while others consider it a serious design problem in public key
infrastructure.

-- 
Brian May <bam@debian.org>

Reply to:

References:
- ssh passphrase
  - From: Russell Coker <russell@coker.com.au>
- Re: ssh passphrase
  - From: "Jens B. Jorgensen" <jens.jorgensen@cmgisolutions.com>

Prev by Date: Re: receiving emial
Next by Date: Re: anyone using devfs?
Previous by thread: Re: ssh passphrase
Next by thread: Re: ssh passphrase
Index(es):
- Date
- Thread