Re: Q: RSA Authentication vs. Password Authentication in SSH
Brian May wrote:
> Of course. Use ssh-agent means you don't have to enter your passphrase
> every-time though.
Didn't know about ssh-agent. Tried it out though, and it works like a
charm. BTW, I created an .xsession file with the following content to
if [ -x /usr/bin/ssh-add ]; then
/usr/bin/ssh-add < /dev/null
Is there another way to do it? Anything Debian-special?
> I don't think there is any need to disable password authentication.
> Just be aware that both the client and the server could see your
> password, and could potentially steal it.
Well, when I enter a bad passphrase, ssh will prompt for the remote
password, instead of asking for the passphrase again. This is, of
course, no a concern with ssh-agent, but is annoying nonetheless. It
can be disabled in the client's config file though.
> Viktor> But what about keys from clients from my trusted local
> Viktor> network. In order to get them one has to get access to
> Viktor> the local machine first, and then they are useless,
> Viktor> because the intruder has already access to my machine.
> Viktor> Unless of course, a user key has no passphrase and is
> Viktor> listed in root's authorized_keys file. Then an intruder
> Viktor> of my user account has instant root access on my machine
> Viktor> -- but how likely is this? Having no passphrase on user
> Viktor> keys of the local network makes managing it very
> Viktor> convenient.
> I am afraid you have lost me here. Are you asking how you can securely
> transfer the public keys of your clients (not an easy task), or have I
> misunderstood you?
That's not so much of a problem, because I can physically access the
machines I want to log on to. I was talking about a private key with an
empty passphrase for easy administration on my local network only. All
the machines are at home, all users and clients can be trusted, and all
internet connections are going through a firewall, that masquarades the
local network. To connect to machines on the internet I would use a
different identity with a good passphrase. My question is, if that
(empty passphrase on the local network) really is a security hole? My
reasoning is, that if any machine (except for the firewall) is
compromised, the whole network is compromised anyhow. Having an
identity with a good passphrase won't make it any harder to break in