Re: Logging into SSH

From: Dave Howe (DaveHowe_at_cmn.sharp-uk.co.uk)
Date: 02/27/04


To: "Email List: Secure Shell" <secureshell@securityfocus.com>
Date: Fri, 27 Feb 2004 13:31:45 -0000

Ball, Duncan wrote:
> Because using only public key authentication removes centralised
> policy control over the "secret" (ie your private key). Corporate
> security can tell you that you MUST protect your private key with a
> passphrase, the passphrase can't be just "mysshkey", and that you
> should change it on at least a semi-regular basis until they are blue
> in the face, but they can't FORCE you to apply this (good) advice. If
> you leave your private key unprotected and someone gets hold of it
> (doh!), then if the server requires BOTH public key auth AND password
> auth, there is also a secondary layer of protection where these
> policies can be enforced.
possibly. but if you have the sort of Luser who removes the access
password from his key, then he would probably write his password on a
sticker on his laptop anyhow...
one point that most people miss is that the public half of the key doesn't
*have* to be managed by the end user - it is trivial to chown the keyfile
to an authorised administrator and ln them all into a common dir in the
user home structure so that said administrator can enforce key changes
(automagically or manually)



Relevant Pages

  • Re: [opensuse] Results of moving ssh to a high port - Zero scriptkiddies in a 24 hour period.
    ... in favor of keybased authentication. ... moving that private key from place A to B securely is too ... protect the private one and it's only on the computer you are connecting ... You can email the public key, if you wish, as it doesn't have to ...
    (SuSE)
  • Re: [opensuse] Results of moving ssh to a high port - Zero scriptkiddies in a 24 hour period.
    ... authentication in favor of keybased authentication. ... moving that private key from ... You can email the public key, if you wish, as it ... password protect the key. ...
    (SuSE)
  • RE: Logging into SSH
    ... >> public key authentication before allowing a login? ... Because using only public key authentication removes centralised policy ... control over the "secret" (ie your private key). ... you that you MUST protect your private key with a passphrase, ...
    (SSH)
  • RE: PGP scripting...
    ... cryptosystems, ... In these systems divulging your private key compromises the public ... Here is a quick over view of the public key encryption routines (the ...
    (SecProg)
  • Re: Private & Public Key storage location
    ... with that you complete the 'certificate' to have both public and private key ... To view the complete cert, you access the cert mmc, ... its end & send only the public key to the CA along with the other websites ... The CA never know the private key of the website. ...
    (microsoft.public.inetserver.iis.security)