RE: Palm to FreeBSD using ssh

From: Mark Senior (Mark.Senior_at_gov.ab.ca)
Date: 08/29/05

  • Next message: Timothy Luoma: "Re: Palm to FreeBSD using ssh"
    Date: Mon, 29 Aug 2005 13:18:26 -0600
    To: "Timothy Luoma" <lists@tntluoma.com>
    
    

     

    (snip)
    >
    > > - client theft - how likely is the device that stores your private
    > > keys to be stolen (or lost)? The more likely this is, the more you
    > > should tend to use encrypted keys. In the case of a
    > portable device,
    > > I would weigh theft as by far the highest risk.
    >
    > The key is a "DSA Private Key" which I assumed was safe.
    >

    The exchange of data over the network is safe enough against snooping or
    alteration, (assuming the attacker doesn't know the private key) whether
    you use an RSA or DSA key.

    Theft is a different threat though - the type of key doesn't matter
    then, the strength of the passphrase that's protecting it is what
    matters. If the private key is stored unencrypted on a palm pilot and
    someone steals it, then any servers that allow logins with that key are
    at risk until you can delete the corresponding public keys from your
    authorized_keys files.

    > > - client compromise - how likely is the device that stores
    > you private
    > > keys to be compromised? A Windows worm can compromise a
    > Unix box, if
    > > the Windows box stores unencrypted ssh keys for the Unix box.
    > > Encrypting keys provide some defence in depth against this.

    I was thinking of the palm pilot itself - the Mac is another storage
    place, which can be be considered separately. Presumably there's no
    need for this tradeoff there, as openssh is pretty well tested and
    supports encrypted private keys in the client.

    Regards
    Mark

    This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.

    This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.


  • Next message: Timothy Luoma: "Re: Palm to FreeBSD using ssh"

    Relevant Pages

    • How to forbid unencrypted Keys?
      ... I wonder why the SSH-Protokol dont care for the client Keys. ... all clients I want to restrict access only to encrypted keys. ... and furtheron the clients shouldnt use unencrypted keys on this server, ...
      (comp.security.ssh)
    • Re: wpa_supplicant and WEP....
      ... > one of the encrypted keys? ... The entry in the example file shows both hex and ascii keys. ... something like that you need to get the hex key it's using from it. ...
      (freebsd-current)
    • Re: Q: Practical issues of symmetric vs. asymmetric encryption
      ... generating the CA's own keys used for signing). ... for customer key generation don't let the CA see the private key ... private key encrypted in the middle of it. ... It can also subvert the CA at any time, ...
      (sci.crypt)
    • Re: Q: Practical issues of symmetric vs. asymmetric encryption
      ... generating the CA's own keys used for signing). ... for customer key generation don't let the CA see the private key ... private key encrypted in the middle of it. ... It is probably easier for a government to subvert a CA than to ...
      (sci.crypt)
    • RE: Palm to FreeBSD using ssh
      ... tussh just less humble). ... tend to use encrypted keys. ... > but I don't know if it IS more secure of if it just isn't as ... > I can now connect to the FreeBSD machine using my Private Key ...
      (SSH)