[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OT: Safe to access SSH server from work?

> On 5/6/11, Jochen Schulz <ml@well-adjusted.de> wrote:
>> You can authenticate to an OpenSSH server using a password, or using a
>> keyfile. On the client side, simply run 'ssh-keygen' to create a
>> keypair.
> So the attacker needs to guess my private key instead of my password.


> How does that make his life more difficult, assuming my password was
> very strong?

A keyfile is longer and contains more entropy. I doubt your is using a
password with 1024 bits of entropy, let alone 2048 or 4096. Even for
only 1024 bits of entropy you would need a passphrase of 128 characters
to match a keyfile's strength. And that's only if you assume your
password has an entropy of 8 bits per character, which probably isn't
the case (see here:
http://en.wikipedia.org/wiki/Password_strength#Random_passwords and the
table below that).

If an attacker has access to your passphrase-protected private key file,
security is of course reduced to your passphrase's strength, which puts
you into almost the same situation as with a login without a keyfile.

I spend money without thinking on products and clothes that I believe
will enhance my social standing.
[Agree]   [Disagree]

Attachment: signature.asc
Description: Digital signature

Reply to: