Re: server security :: user accounts, ssh, passphrases, etc.

[Dave Sherohman <dave@sherohman.org>]

On Wed, Apr 02, 2008 at 10:33:35AM -0500, Russell L. Harris wrote:
>     It is convenient to use "scp" for transferring files between the
>     desktop machine in the LAN and the server, and to use "ssh" for
>     remote maintenance of the server, again from the desktop machine
>     in the LAN.  And to eliminate the constant typing of password,
>     ssh-agent can be installed.

If you are using public key authentication (i.e., RSA or DSA key pairs)
to log in to the server, then there should be no need to ever enter the
server password for anything other than sudo, which greatly reduces any
perceived issues caused by having different passwords on each system.

When using public key auth, copy *only* your public key to the server.
(ssh-copy-id is a handy way to automate this.)  So long as your private
key remains secure, there is very little risk to an attacker getting
their hands on the public key - that's kind of the point of public key
crypto, after all.  Unless they take the time to successfully factor the
public key, there is no way it can be used to attack your systems; the
worst they could do with it is grant you access to their server and run
a keylogger there.

Your passphrase is only relevant to the private key.  If they don't get
their hands on the private key (which, again, should reside only on your
desktop system), they neither have any way to attempt to crack your
passphrase nor would your passphrase do them any good even if they did
have it.

Using ssh also makes it easy to use different usernames on each host
(just add a "User username" line for the host to ~/.ssh/config on the
desktop machine), although I don't see this as adding any worthwhile
degree of security.

-- 
News aggregation meets world domination.  Can you see the fnews?
http://seethefnews.com/