Re: How can I secure a Debian installation?
On Fri 31 Jan 2014 at 07:56:29 +0100, Raffaele Morelli wrote:
> Brian argued that a private key+allowusers does not improve security with
> respect to passwords+allowusers.
I did :).
> I use private key authentication with a 21 characters passphrase which is
> at minimum more secure than a 21 characters password and unless someone
> kidnaps and tortures me for the passphrase and stoles one of my boxes for
> the private key I wonder who can prove it is not.
I think I see what you are getting at (please correct me if I am wrong).
The passphrase protects the private key from being accessed. If there is
no access to the private key then authentication cannot take place under
any circumstances. It isn't even worthwhile trying. I agree with that.
Because you need two things (passphrase + private key) you see this as
being more secure than a password login because any Tom, Dick or Harry
can throw passwords at sshd. Therefore this makes a password login
*intrinsically* less secure. This is what I disagree with and would like
to see some convincing evidence to support it. I hope I am not
misrepresenting your view.
The myth has arisen because of so-called "script kiddy" probes. These
are conducted on a level which is actually totally incompetent and
stands no real chance of success but their existence is used to
denigrate password logins. Even with a targeted *online* attack a good
password has time on its side, just like a key.
I've covered the argument in other posts; you would have to be very,
very lucky to conduct a successful *online* exploit against a strong
password.
> C'mon, what's the matter with private key authentication and the OP request?
There is nothing wrong with private key authentication. There is also
nothing wrong with password authentication. You choose whichever one is
suitable for your situation based on site policy and rational grounds.
Reply to: