Re: OT: Safe to access SSH server from work?

[CACook@quantum-sci.com]

On Thursday 5 May, 2011 17:15:11 Perry Thompson wrote:
> On 05/05/2011 06:46 PM, CACook@quantum-sci.com wrote:
> > On Thursday 5 May, 2011 15:09:02 Brian wrote:
> >> Use a strong password or ssh keys for access to the server. The question
> >> is whether you trust the machine you use at work.
> > 
> > OK, say you -don't- trust your machine at work.  Workarounds?
> > 
> > 
> I suppose you could keep your public key with you on a USB drive and
> only put it on the computer when you need it, however I'm not sure how
> secure that would be :/

I've just found that it is recommended to always set a passphrase when generating a key.  This makes it useless to someone else who tries to use it.  The passphrase is evaluated on the client, rather than the server.  Brute-force attempts can never succeed.

I've also found that indeed to shut off passwords on the server it is sshd_config|PasswordAuthentication no.    But you must remember that this shuts you out when on a machine that's not in the server's authorized_keys.  

And it's good practice to generate a key on each client and put that in the server's authorized_keys, rather than using all the same key.  So if one machine is compromised, the rest won't be.